Merge branch 'master-next'

Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>

72 files changed, 207 insertions, 1957 deletions

diff --git a/conf/distro/oe-selinux.conf b/conf/distro/oe-selinux.conf
index 5f4af87..6e55a32 100644
--- a/conf/distro/oe-selinux.conf
+++ b/conf/distro/oe-selinux.conf
@@ -1,4 +1,4 @@
 DISTRO = "oe-selinux"
 DISTROOVERRIDES .= ":selinux"
 
-DISTRO_FEATURES_append = " acl xattr pam selinux compressed_policy"
+DISTRO_FEATURES_append = " acl xattr pam selinux"
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/Allow-ping-to-get-set-capabilities.patch b/recipes-security/refpolicy/refpolicy-2.20130424/Allow-ping-to-get-set-capabilities.patch
deleted file mode 100644
index fced84a..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20130424/Allow-ping-to-get-set-capabilities.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 56c43144d7dcf5fec969c9aa9cb97679ccad50cc Mon Sep 17 00:00:00 2001
-From: Sven Vermeulen <sven.vermeulen@siphos.be>
-Date: Wed, 25 Sep 2013 20:27:34 +0200
-Subject: [PATCH] Allow ping to get/set capabilities
-
-When ping is installed with capabilities instead of being marked setuid,
-then the ping_t domain needs to be allowed to getcap/setcap.
-
-Reported-by: Luis Ressel <aranea@aixah.de>
-Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
-
-Upstream-Status: backport
----
- policy/modules/admin/netutils.te |    2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index 557da97..cfe036a 100644
---- a/policy/modules/admin/netutils.te
-+++ b/policy/modules/admin/netutils.te
-@@ -106,6 +106,8 @@ optional_policy(`
- #
- 
- allow ping_t self:capability { setuid net_raw };
-+# When ping is installed with capabilities instead of setuid
-+allow ping_t self:process { getcap setcap };
- dontaudit ping_t self:capability sys_tty_config;
- allow ping_t self:tcp_socket create_socket_perms;
- allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
--- 
-1.7.10.4
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/Allow-udev-the-block_suspend-capability.patch b/recipes-security/refpolicy/refpolicy-2.20130424/Allow-udev-the-block_suspend-capability.patch
deleted file mode 100644
index 3c6a979..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20130424/Allow-udev-the-block_suspend-capability.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-Allow udev the block_suspend capability
-
-Upstream-Status: backport
-upstream commit: 5905067f2acf710ffbb13ba32575e6316619ddd8
-
-Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
----
- policy/modules/system/udev.te |    1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index 90e4ab3..efe6c02 100644
---- a/policy/modules/system/udev.te
-+++ b/policy/modules/system/udev.te
-@@ -39,6 +39,7 @@ ifdef(`enable_mcs',`
- 
- allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
- dontaudit udev_t self:capability sys_tty_config;
-+allow udev_t self:capability2 block_suspend;
- allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow udev_t self:process { execmem setfscreate };
- allow udev_t self:fd use;
--- 
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch b/recipes-security/refpolicy/refpolicy-2.20130424/filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch
deleted file mode 100644
index 094d9e5..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20130424/filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-Upstream-Status: backport
-
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
-=========================
-From e3072cb7bf8f9e09598f01c9eb58d9cfb319d8a1 Mon Sep 17 00:00:00 2001
-From: Dominick Grift <dominick.grift@gmail.com>
-Date: Tue, 24 Sep 2013 15:39:21 +0200
-Subject: [PATCH] filesystem: associate tmpfs_t (shm) to device_t (devtmpfs)
- file systems
-
-Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
----
- policy/modules/kernel/filesystem.te |    1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index ed59e5e..f72cde1 100644
---- a/policy/modules/kernel/filesystem.te
-+++ b/policy/modules/kernel/filesystem.te
-@@ -177,6 +177,7 @@ genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
- # tmpfs_t is the type for tmpfs filesystems
- #
- type tmpfs_t;
-+dev_associate(tmpfs_t)
- fs_type(tmpfs_t)
- files_type(tmpfs_t)
- files_mountpoint(tmpfs_t)
--- 
-1.7.10.4
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/hostname-do-not-audit-attempts-by-hostname-to-read-a.patch b/recipes-security/refpolicy/refpolicy-2.20130424/hostname-do-not-audit-attempts-by-hostname-to-read-a.patch
deleted file mode 100644
index edba56d..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20130424/hostname-do-not-audit-attempts-by-hostname-to-read-a.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From 0857061b58e5ec0bf00e78839254f21519ed55d4 Mon Sep 17 00:00:00 2001
-From: Dominick Grift <dominick.grift@gmail.com>
-Date: Fri, 27 Sep 2013 10:36:14 +0200
-Subject: [PATCH] hostname: do not audit attempts by hostname to read and
- write dhcpc udp sockets (looks like a leaked fd)
-
-Upstream-Status: backport
-
-Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
----
- policy/modules/system/hostname.te   |    1 +
- policy/modules/system/sysnetwork.if |   19 +++++++++++++++++++
- 2 files changed, 20 insertions(+)
-
-diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
-index f6cbda9..380197b 100644
---- a/policy/modules/system/hostname.te
-+++ b/policy/modules/system/hostname.te
-@@ -51,6 +51,7 @@ logging_send_syslog_msg(hostname_t)
- 
- miscfiles_read_localization(hostname_t)
- 
-+sysnet_dontaudit_rw_dhcpc_udp_sockets(hostname_t)
- sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
- sysnet_read_config(hostname_t)
- sysnet_dns_name_resolve(hostname_t)
-diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 52b548c..2cea692 100644
---- a/policy/modules/system/sysnetwork.if
-+++ b/policy/modules/system/sysnetwork.if
-@@ -47,6 +47,25 @@ interface(`sysnet_run_dhcpc',`
- 
- ########################################
- ## <summary>
-+##     Do not audit attempts to read and
-+##     write dhcpc udp socket descriptors.
-+## </summary>
-+## <param name="domain">
-+##     <summary>
-+##     Domain to not audit.
-+##     </summary>
-+## </param>
-+#
-+interface(`sysnet_dontaudit_rw_dhcpc_udp_sockets',`
-+       gen_require(`
-+               type dhcpc_t;
-+       ')
-+
-+       dontaudit $1 dhcpc_t:udp_socket { read write };
-+')
-+
-+########################################
-+## <summary>
- ##     Do not audit attempts to use
- ##     the dhcp file descriptors.
- ## </summary>
--- 
-1.7.10.4
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-xconsole_device_t-as-a-dev_node.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-xconsole_device_t-as-a-dev_node.patch
deleted file mode 100644
index aa870f4..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-xconsole_device_t-as-a-dev_node.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 843299c135c30b036ed163a10570a1d5efe36ff8 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 1/2] fix xconsole_device_t as a dev_node.
-
-Upstream-Status: Inappropriate [only for Poky]
-
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
----
- policy/modules/services/xserver.te |    1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 4f6d693..b00f004 100644
---- a/policy/modules/services/xserver.te
-+++ b/policy/modules/services/xserver.te
-@@ -151,6 +151,7 @@ userdom_user_tmp_file(xauth_tmp_t)
- # this is not actually a device, its a pipe
- type xconsole_device_t;
- files_type(xconsole_device_t)
-+dev_node(xconsole_device_t)
- fs_associate_tmpfs(xconsole_device_t)
- files_associate_tmp(xconsole_device_t)
- 
--- 
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch b/recipes-security/refpolicy/refpolicy-2.20130424/sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch
deleted file mode 100644
index e95d675..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20130424/sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From b1599e01fe3f3e7a1c2048d1c466e3e842952924 Mon Sep 17 00:00:00 2001
-From: Dominick Grift <dominick.grift@gmail.com>
-Date: Fri, 27 Sep 2013 11:35:41 +0200
-Subject: [PATCH] sysnetwork: dhcpc binds socket to random high udp ports
- sysnetwork: do not audit attempts by ifconfig to read, and
- write dhcpc udp sockets (looks like a leaked fd)
-
-Upstream-Status: backport
-
-Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
----
- policy/modules/system/sysnetwork.te |    6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index f9dce11..67709b5 100644
---- a/policy/modules/system/sysnetwork.te
-+++ b/policy/modules/system/sysnetwork.te
-@@ -111,7 +111,9 @@ corenet_tcp_bind_dhcpc_port(dhcpc_t)
- corenet_udp_bind_dhcpc_port(dhcpc_t)
- corenet_tcp_connect_all_ports(dhcpc_t)
- corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
--corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
-+
-+corenet_sendrecv_all_server_packets(dhcpc_t)
-+corenet_udp_bind_all_unreserved_ports(dhcpc_t)
- 
- dev_read_sysfs(dhcpc_t)
- # for SSP:
-@@ -313,6 +315,8 @@ modutils_domtrans_insmod(ifconfig_t)
- 
- seutil_use_runinit_fds(ifconfig_t)
- 
-+sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t)
-+
- userdom_use_user_terminals(ifconfig_t)
- userdom_use_all_users_fds(ifconfig_t)
- 
--- 
-1.7.10.4
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/ftp-add-ftpd_t-to-mlsfilewrite.patch b/recipes-security/refpolicy/refpolicy-2.20140311/ftp-add-ftpd_t-to-mlsfilewrite.patch
index 49da4b6..49da4b6 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/ftp-add-ftpd_t-to-mlsfilewrite.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/ftp-add-ftpd_t-to-mlsfilewrite.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-clock.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-clock.patch
index 3ff8f55..3ff8f55 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-clock.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-clock.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-corecommands.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-corecommands.patch
index 24b67c3..24b67c3 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-corecommands.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-corecommands.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-dmesg.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-dmesg.patch
index db4c4d4..db4c4d4 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-dmesg.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-dmesg.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-bind.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-bind.patch
index 59ba5bc..59ba5bc 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-bind.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-bind.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_login.patch
index 427181e..427181e 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_login.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_login.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_resolv.conf.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_resolv.conf.patch
index 80cca67..80cca67 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_resolv.conf.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_resolv.conf.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_shadow.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_shadow.patch
index 29ac2c3..29ac2c3 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_shadow.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_shadow.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_su.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_su.patch
index b0392ce..b0392ce 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_su.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_su.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fstools.patch
index 5343893..38c96c4 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fstools.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fstools.patch
@@ -6,12 +6,11 @@ Subject: [PATCH] refpolicy: fix real path for fstools
 Upstream-Status: Inappropriate [configuration]
 
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
- policy/modules/system/fstools.fc |   12 ++++++++++++
- 1 file changed, 12 insertions(+)
+ policy/modules/system/fstools.fc |   11 +++++++++++
+ 1 file changed, 11 insertions(+)
 
-diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
-index 7a46b45..a724776 100644
 --- a/policy/modules/system/fstools.fc
 +++ b/policy/modules/system/fstools.fc
 @@ -1,6 +1,8 @@
@@ -23,48 +22,44 @@ index 7a46b45..a724776 100644
  /sbin/cfdisk           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/dosfsck          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/dump             --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -9,9 +11,12 @@
+@@ -9,9 +11,11 @@
  /sbin/e4fsck           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/e2label          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/fdisk            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
 +/sbin/fdisk\.util-linux        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/findfs           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/findfs               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/fsck.*           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/hdparm           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
 +/sbin/hdparm\.hdparm   --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/install-mbr      --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/jfs_.*           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/losetup.*                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -24,21 +29,28 @@
+@@ -24,6 +28,7 @@
  /sbin/mkraid           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/mkreiserfs       --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/mkswap           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
 +/sbin/mkswap\.util-linux       --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/parted           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/parted               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/partprobe                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/partprobe            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/partx            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/partx                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/raidautorun      --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/raidstart                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/reiserfs(ck|tune)        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/resize.*fs       --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -34,6 +39,7 @@
  /sbin/scsi_info                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/sfdisk           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/sfdisk               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/swapoff          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
 +/sbin/swapoff\.util-linux      --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/swapon.*         --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/tune2fs          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/zdb              --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -50,7 +56,12 @@
  
- /usr/bin/partition_uuid        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/bin/raw           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/clubufflush  --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/fatsort      --      gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/findfs               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/parted       --      gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/partprobe            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/partx                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
 +/usr/sbin/raw          --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/bin/scsi_unique_id        --      gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/bin/syslinux      --      gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/sfdisk               --      gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/smartctl     --      gen_context(system_u:object_r:fsadm_exec_t,s0)
  
--- 
-1.7.9.5
-
+ /var/log/fsck(/.*)?            gen_context(system_u:object_r:fsadm_log_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-ftpwho-dir.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-ftpwho-dir.patch
index a7d434f..a7d434f 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-ftpwho-dir.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-ftpwho-dir.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-iptables.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-iptables.patch
index 89b1547..89b1547 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-iptables.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-iptables.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-mta.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-mta.patch
index bbd83ec..bbd83ec 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-mta.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-mta.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-netutils.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-netutils.patch
index b45d03e..b45d03e 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-netutils.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-netutils.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-nscd.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-nscd.patch
index 1db328c..1db328c 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-nscd.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-nscd.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-rpm.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-rpm.patch
index 7ba3380..7ba3380 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-rpm.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-rpm.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-screen.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-screen.patch
index 3218194..3218194 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-screen.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-screen.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-ssh.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-ssh.patch
index 9aeb3a2..9aeb3a2 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-ssh.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-ssh.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-su.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-su.patch
index 358e4ef..358e4ef 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-su.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-su.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-subs_dist.patch
index 4058b18..cfec7d9 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-subs_dist.patch
@@ -6,19 +6,17 @@ mapping to the pathes in file_contexts.
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
- config/file_contexts.subs_dist |    8 ++++++++
- 1 files changed, 11 insertions(+), 0 deletions(-)
+ config/file_contexts.subs_dist |   10 ++++++++++
+ 1 file changed, 10 insertions(+)
 
-diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
-index 32b87a4..ebba73d 100644
 --- a/config/file_contexts.subs_dist
 +++ b/config/file_contexts.subs_dist
-@@ -5,3 +5,14 @@
- /usr/lib32 /usr/lib
- /usr/lib64 /usr/lib
+@@ -19,3 +19,13 @@
+ /usr/local/lib64 /usr/lib
+ /usr/local/lib /usr/lib
  /var/run/lock /var/lock
-+/etc/init.d /etc/rc.d/init.d
 +/var/volatile/log /var/log
 +/var/volatile/run /var/run
 +/var/volatile/cache /var/cache
@@ -29,6 +27,3 @@ index 32b87a4..ebba73d 100644
 +/usr/lib/busybox/bin /bin
 +/usr/lib/busybox/sbin /sbin
 +/usr/lib/busybox/usr /usr
--- 
-1.7.5.4
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-sysnetwork.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-sysnetwork.patch
index e0af6a1..e0af6a1 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-sysnetwork.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-sysnetwork.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-udevd.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-udevd.patch
index c6c19be..c6c19be 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-udevd.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-udevd.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_hostname.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_hostname.patch
index cedb5b5..cedb5b5 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_hostname.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_hostname.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_sysklogd.patch
index 868ee6b..868ee6b 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_sysklogd.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_sysklogd.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_sysvinit.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_sysvinit.patch
index 3a617d8..3a617d8 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_sysvinit.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_sysvinit.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-bsdpty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-bsdpty_device_t.patch
index 9a3322f..9a3322f 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-bsdpty_device_t.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-bsdpty_device_t.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-syslogd_t-symlink.patch
index aa9734a..aa9734a 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-syslogd_t-symlink.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-tmp-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-tmp-symlink.patch
index 210c297..210c297 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-tmp-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-tmp-symlink.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-cache-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-cache-symlink.patch
index 18a92dd..18a92dd 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-cache-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-cache-symlink.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink-apache.patch
index 8bc40c4..8bc40c4 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-apache.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink-apache.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
index cbf0f7d..cbf0f7d 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink.patch
index b06f3ef..b06f3ef 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-syslogd_t-to-trusted-object.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-syslogd_t-to-trusted-object.patch
index 92b1592..92b1592 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-syslogd_t-to-trusted-object.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-syslogd_t-to-trusted-object.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-nfsd-to-exec-shell-commands.patch
index e77a730..e77a730 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-nfsd-to-exec-shell-commands.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-nfsd-to-exec-shell-commands.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-setfiles_t-to-read-symlinks.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-setfiles_t-to-read-symlinks.patch
index 71497fb..71497fb 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-setfiles_t-to-read-symlinks.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-setfiles_t-to-read-symlinks.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-sysadm-to-run-rpcinfo.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-sysadm-to-run-rpcinfo.patch
index ec3dbf4..ec3dbf4 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-sysadm-to-run-rpcinfo.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-sysadm-to-run-rpcinfo.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-don-t-audit-tty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-don-t-audit-tty_device_t.patch
index 82370d8..82370d8 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-don-t-audit-tty_device_t.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-don-t-audit-tty_device_t.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-dmesg-to-use-dev-kmsg.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
index d6c8dbf..d6c8dbf 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-new-SELINUXMNT-in-sys.patch
index 557af04..302a38f 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-new-SELINUXMNT-in-sys.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-new-SELINUXMNT-in-sys.patch
@@ -9,12 +9,11 @@ add rules to access sysfs.
 Upstream-Status: Inappropriate [only for Poky]
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
- policy/modules/kernel/selinux.if |   40 ++++++++++++++++++++++++++++++++++++++
- 1 file changed, 40 insertions(+)
+ policy/modules/kernel/selinux.if |   34 ++++++++++++++++++++++++++++++++--
+ 1 file changed, 32 insertions(+), 2 deletions(-)
 
-diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
-index 81440c5..ee4e86b 100644
 --- a/policy/modules/kernel/selinux.if
 +++ b/policy/modules/kernel/selinux.if
 @@ -58,6 +58,10 @@ interface(`selinux_get_fs_mount',`
@@ -28,7 +27,7 @@ index 81440c5..ee4e86b 100644
         # starting in libselinux 2.0.5, init_selinuxmnt() will
         # attempt to short circuit by checking if SELINUXMNT
         # (/selinux) is already a selinuxfs
-@@ -84,6 +88,7 @@ interface(`selinux_dontaudit_get_fs_mount',`
+@@ -84,6 +88,7 @@ interface(`selinux_dontaudit_get_fs_moun
                 type security_t;
         ')
  
@@ -72,7 +71,7 @@ index 81440c5..ee4e86b 100644
         allow $1 security_t:filesystem getattr;
  ')
  
-@@ -183,6 +196,7 @@ interface(`selinux_dontaudit_getattr_fs',`
+@@ -183,6 +196,7 @@ interface(`selinux_dontaudit_getattr_fs'
                 type security_t;
         ')
  
@@ -80,7 +79,7 @@ index 81440c5..ee4e86b 100644
         dontaudit $1 security_t:filesystem getattr;
  ')
  
-@@ -202,6 +216,7 @@ interface(`selinux_dontaudit_getattr_dir',`
+@@ -202,6 +216,7 @@ interface(`selinux_dontaudit_getattr_dir
                 type security_t;
         ')
  
@@ -88,16 +87,15 @@ index 81440c5..ee4e86b 100644
         dontaudit $1 security_t:dir getattr;
  ')
  
-@@ -220,6 +235,8 @@ interface(`selinux_search_fs',`
+@@ -220,6 +235,7 @@ interface(`selinux_search_fs',`
                 type security_t;
         ')
  
 +       dev_getattr_sysfs_dirs($1)
-+       dev_search_sysfs($1)
+        dev_search_sysfs($1)
         allow $1 security_t:dir search_dir_perms;
  ')
- 
-@@ -238,6 +255,7 @@ interface(`selinux_dontaudit_search_fs',`
+@@ -239,6 +255,7 @@ interface(`selinux_dontaudit_search_fs',
                 type security_t;
         ')
  
@@ -105,7 +103,7 @@ index 81440c5..ee4e86b 100644
         dontaudit $1 security_t:dir search_dir_perms;
  ')
  
-@@ -257,6 +275,7 @@ interface(`selinux_dontaudit_read_fs',`
+@@ -258,6 +275,7 @@ interface(`selinux_dontaudit_read_fs',`
                 type security_t;
         ')
  
@@ -113,52 +111,75 @@ index 81440c5..ee4e86b 100644
         dontaudit $1 security_t:dir search_dir_perms;
         dontaudit $1 security_t:file read_file_perms;
  ')
-@@ -342,6 +361,8 @@ interface(`selinux_load_policy',`
+@@ -279,6 +297,7 @@ interface(`selinux_get_enforce_mode',`
+                type security_t;
+        ')
+ 
++       dev_getattr_sysfs_dirs($1)
+        dev_search_sysfs($1)
+        allow $1 security_t:dir list_dir_perms;
+        allow $1 security_t:file read_file_perms;
+@@ -313,6 +332,7 @@ interface(`selinux_set_enforce_mode',`
                 bool secure_mode_policyload;
         ')
  
 +       dev_getattr_sysfs_dirs($1)
-+       dev_search_sysfs($1)
+        dev_search_sysfs($1)
+        allow $1 security_t:dir list_dir_perms;
+        allow $1 security_t:file rw_file_perms;
+@@ -345,6 +365,7 @@ interface(`selinux_load_policy',`
+                bool secure_mode_policyload;
+        ')
+ 
++       dev_getattr_sysfs_dirs($1)
+        dev_search_sysfs($1)
         allow $1 security_t:dir list_dir_perms;
         allow $1 security_t:file rw_file_perms;
-        typeattribute $1 can_load_policy;
-@@ -371,6 +392,8 @@ interface(`selinux_read_policy',`
+@@ -375,6 +396,7 @@ interface(`selinux_read_policy',`
                 type security_t;
         ')
  
 +       dev_getattr_sysfs_dirs($1)
-+       dev_search_sysfs($1)
+        dev_search_sysfs($1)
         allow $1 security_t:dir list_dir_perms;
         allow $1 security_t:file read_file_perms;
-        allow $1 security_t:security read_policy;
-@@ -435,6 +458,8 @@ interface(`selinux_set_generic_booleans',`
+@@ -440,8 +462,8 @@ interface(`selinux_set_generic_booleans'
                 type security_t;
         ')
  
 +       dev_getattr_sysfs_dirs($1)
-+       dev_search_sysfs($1)
+        dev_search_sysfs($1)
+-
         allow $1 security_t:dir list_dir_perms;
         allow $1 security_t:file rw_file_perms;
  
-@@ -475,6 +500,8 @@ interface(`selinux_set_all_booleans',`
+@@ -482,8 +504,8 @@ interface(`selinux_set_all_booleans',`
                 bool secure_mode_policyload;
         ')
  
 +       dev_getattr_sysfs_dirs($1)
-+       dev_search_sysfs($1)
+        dev_search_sysfs($1)
+-
         allow $1 security_t:dir list_dir_perms;
         allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
         allow $1 secure_mode_policyload_t:file read_file_perms;
-@@ -519,6 +546,8 @@ interface(`selinux_set_parameters',`
+@@ -528,6 +550,7 @@ interface(`selinux_set_parameters',`
                 attribute can_setsecparam;
         ')
  
 +       dev_getattr_sysfs_dirs($1)
-+       dev_search_sysfs($1)
+        dev_search_sysfs($1)
         allow $1 security_t:dir list_dir_perms;
         allow $1 security_t:file rw_file_perms;
-        allow $1 security_t:security setsecparam;
-@@ -563,6 +592,7 @@ interface(`selinux_dontaudit_validate_context',`
+@@ -552,6 +575,7 @@ interface(`selinux_validate_context',`
+                type security_t;
+        ')
+ 
++       dev_getattr_sysfs_dirs($1)
+        dev_search_sysfs($1)
+        allow $1 security_t:dir list_dir_perms;
+        allow $1 security_t:file rw_file_perms;
+@@ -574,6 +598,7 @@ interface(`selinux_dontaudit_validate_co
                 type security_t;
         ')
  
@@ -166,51 +187,43 @@ index 81440c5..ee4e86b 100644
         dontaudit $1 security_t:dir list_dir_perms;
         dontaudit $1 security_t:file rw_file_perms;
         dontaudit $1 security_t:security check_context;
-@@ -584,6 +614,8 @@ interface(`selinux_compute_access_vector',`
+@@ -595,6 +620,7 @@ interface(`selinux_compute_access_vector
                 type security_t;
         ')
  
 +       dev_getattr_sysfs_dirs($1)
-+       dev_search_sysfs($1)
+        dev_search_sysfs($1)
         allow $1 security_t:dir list_dir_perms;
         allow $1 security_t:file rw_file_perms;
-        allow $1 security_t:security compute_av;
-@@ -605,6 +637,8 @@ interface(`selinux_compute_create_context',`
+@@ -617,6 +643,7 @@ interface(`selinux_compute_create_contex
                 type security_t;
         ')
  
 +       dev_getattr_sysfs_dirs($1)
-+       dev_search_sysfs($1)
+        dev_search_sysfs($1)
         allow $1 security_t:dir list_dir_perms;
         allow $1 security_t:file rw_file_perms;
-        allow $1 security_t:security compute_create;
-@@ -626,6 +660,8 @@ interface(`selinux_compute_member',`
+@@ -639,6 +666,7 @@ interface(`selinux_compute_member',`
                 type security_t;
         ')
  
 +       dev_getattr_sysfs_dirs($1)
-+       dev_search_sysfs($1)
+        dev_search_sysfs($1)
         allow $1 security_t:dir list_dir_perms;
         allow $1 security_t:file rw_file_perms;
-        allow $1 security_t:security compute_member;
-@@ -655,6 +691,8 @@ interface(`selinux_compute_relabel_context',`
+@@ -669,6 +697,7 @@ interface(`selinux_compute_relabel_conte
                 type security_t;
         ')
  
 +       dev_getattr_sysfs_dirs($1)
-+       dev_search_sysfs($1)
+        dev_search_sysfs($1)
         allow $1 security_t:dir list_dir_perms;
         allow $1 security_t:file rw_file_perms;
-        allow $1 security_t:security compute_relabel;
-@@ -675,6 +713,8 @@ interface(`selinux_compute_user_contexts',`
+@@ -690,6 +719,7 @@ interface(`selinux_compute_user_contexts
                 type security_t;
         ')
  
 +       dev_getattr_sysfs_dirs($1)
-+       dev_search_sysfs($1)
+        dev_search_sysfs($1)
         allow $1 security_t:dir list_dir_perms;
         allow $1 security_t:file rw_file_perms;
-        allow $1 security_t:security compute_user;
--- 
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
index 19e2516..f04ebec 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
@@ -6,6 +6,7 @@ Subject: [PATCH] fix policy for nfsserver to mount nfsd_fs_t.
 Upstream-Status: Pending
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
  policy/modules/contrib/rpc.te       |    5 +++++
  policy/modules/contrib/rpcbind.te   |    5 +++++
@@ -13,11 +14,9 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
  policy/modules/kernel/kernel.te     |    2 ++
  4 files changed, 13 insertions(+)
 
-diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
-index 5605205..9e9f468 100644
 --- a/policy/modules/contrib/rpc.te
 +++ b/policy/modules/contrib/rpc.te
-@@ -256,6 +256,11 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -263,6 +263,11 @@ tunable_policy(`nfs_export_all_ro',`
  
  optional_policy(`
         mount_exec(nfsd_t)
@@ -29,27 +28,23 @@ index 5605205..9e9f468 100644
  ')
  
  ########################################
-diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
-index 196f168..9c75677 100644
 --- a/policy/modules/contrib/rpcbind.te
 +++ b/policy/modules/contrib/rpcbind.te
-@@ -71,6 +71,11 @@ miscfiles_read_localization(rpcbind_t)
+@@ -70,6 +70,11 @@ logging_send_syslog_msg(rpcbind_t)
  
- sysnet_dns_name_resolve(rpcbind_t)
+ miscfiles_read_localization(rpcbind_t)
  
 +# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
 +# because the are running in different level. So add rules to allow this.
 +mls_socket_read_all_levels(rpcbind_t)
 +mls_socket_write_all_levels(rpcbind_t)
 +
- optional_policy(`
-        nis_use_ypbind(rpcbind_t)
+ ifdef(`distro_debian',`
+        term_dontaudit_use_unallocated_ttys(rpcbind_t)
  ')
-diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 1c66416..2b9e7ce 100644
 --- a/policy/modules/kernel/filesystem.te
 +++ b/policy/modules/kernel/filesystem.te
-@@ -119,6 +119,7 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+@@ -119,6 +119,7 @@ genfscon mvfs / gen_context(system_u:obj
  
  type nfsd_fs_t;
  fs_type(nfsd_fs_t)
@@ -57,11 +52,9 @@ index 1c66416..2b9e7ce 100644
  genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
  
  type oprofilefs_t;
-diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 49fde6e..a731078 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
-@@ -284,6 +284,8 @@ mls_process_read_up(kernel_t)
+@@ -293,6 +293,8 @@ mls_process_read_up(kernel_t)
  mls_process_write_down(kernel_t)
  mls_file_write_all_levels(kernel_t)
  mls_file_read_all_levels(kernel_t)
@@ -70,6 +63,3 @@ index 49fde6e..a731078 100644
  
  ifdef(`distro_redhat',`
         # Bugzilla 222337
--- 
-1.7.9.5
-
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-setfiles-statvfs-get-file-count.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-setfiles-statvfs-get-file-count.patch
index 90efbd8..90efbd8 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-setfiles-statvfs-get-file-count.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-setfiles-statvfs-get-file-count.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-seutils-manage-config-files.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-seutils-manage-config-files.patch
index be33bf1..be33bf1 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-seutils-manage-config-files.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-seutils-manage-config-files.patch
diff --git a/recipes-security/refpolicy/refpolicy-mcs_2.20130424.bb b/recipes-security/refpolicy/refpolicy-mcs_2.20140311.bb
index 9288e2a..062727b 100644
--- a/recipes-security/refpolicy/refpolicy-mcs_2.20130424.bb
+++ b/recipes-security/refpolicy/refpolicy-mcs_2.20140311.bb
@@ -6,8 +6,6 @@ level. This is useful on systems where a hierarchical policy (MLS) isn't \
 needed (pretty much all systems) but the non-hierarchical categories are. \
 "
 
-PR = "r99"
-
 POLICY_TYPE = "mcs"
 
 include refpolicy_${PV}.inc
diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20140311.bb
index fc83fd5..b275821 100644
--- a/recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_2.20140311.bb
@@ -1,5 +1,3 @@
-PR = "r99"
-
 include refpolicy-targeted_${PV}.bb
 
 SUMMARY = "SELinux minimum policy"
@@ -40,19 +38,11 @@ prepare_policy_store () {
         mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules
         mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files
         touch ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local
-        if  ${@bb.utils.contains('DISTRO_FEATURES','compressed_policy','true','false',d)}; then
-                bzip2 base.pp
-                cp base.pp.bz2 ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
-                for i in ${POLICY_MODULES_MIN}; do
-                        bzip2 $i
-                        cp ${i}.bz2 ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i`
-                done
-        else
-                bzip2 -c ${D}${datadir}/selinux/${POLICY_NAME}/base.pp  > \
-                        ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
-                for i in ${POLICY_MODULES_MIN}; do
-                        bzip2 -c ${D}${datadir}/selinux/${POLICY_NAME}/$i.pp > \
-                                ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/$i.pp
-                done
-        fi
+        for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do
+                bzip2 -f $i && mv -f $i.bz2 $i
+        done
+        cp base.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
+        for i in ${POLICY_MODULES_MIN}; do
+                cp ${i}.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i.pp`
+        done
 }
diff --git a/recipes-security/refpolicy/refpolicy-mls_2.20130424.bb b/recipes-security/refpolicy/refpolicy-mls_2.20140311.bb
index e586ac2..7388232 100644
--- a/recipes-security/refpolicy/refpolicy-mls_2.20130424.bb
+++ b/recipes-security/refpolicy/refpolicy-mls_2.20140311.bb
@@ -5,8 +5,6 @@ It allows giving data labels such as \"Top Secret\" and preventing \
 such data from leaking to processes or files with lower classification. \
 "
 
-PR = "r99"
-
 POLICY_TYPE = "mls"
 
 include refpolicy_${PV}.inc
diff --git a/recipes-security/refpolicy/refpolicy-standard_2.20130424.bb b/recipes-security/refpolicy/refpolicy-standard_2.20140311.bb
index 98bc26b..3674fdd 100644
--- a/recipes-security/refpolicy/refpolicy-standard_2.20130424.bb
+++ b/recipes-security/refpolicy/refpolicy-standard_2.20140311.bb
@@ -3,8 +3,6 @@ DESCRIPTION = "\
 This is the reference policy for SELinux built with type enforcement \
 only."
 
-PR = "r99"
-
 POLICY_TYPE = "standard"
 
 include refpolicy_${PV}.inc
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
index e39afca..51edcd2 100644
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
+++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
@@ -1,4 +1,4 @@
-Subject: [PATCH] refpolicy: make unconfined_u the default selinux user
+refpolicy: make unconfined_u the default selinux user
 
 For targeted policy type, we define unconfined_u as the default selinux
 user for root and normal users, so users could login in and run most
@@ -10,16 +10,15 @@ run_init.
 Upstream-Status: Inappropriate [configuration] 
 
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
- config/appconfig-mcs/seusers        |    4 +-
- policy/modules/roles/sysadm.te      |    1 +
- policy/modules/system/init.if       |   47 +++++++++++++++++++++++++++++------
+ config/appconfig-mcs/seusers        |    4 +--
+ policy/modules/roles/sysadm.te      |    1 
+ policy/modules/system/init.if       |   47 +++++++++++++++++++++++++++++-------
  policy/modules/system/unconfined.te |    7 +++++
- policy/users                        |   14 +++------
- 5 files changed, 54 insertions(+), 19 deletions(-)
+ policy/users                        |   16 ++++--------
+ 5 files changed, 55 insertions(+), 20 deletions(-)
 
-diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers
-index dc5f1e4..4428da8 100644
 --- a/config/appconfig-mcs/seusers
 +++ b/config/appconfig-mcs/seusers
 @@ -1,3 +1,3 @@
@@ -28,11 +27,9 @@ index dc5f1e4..4428da8 100644
 -__default__:user_u:s0
 +root:unconfined_u:s0-mcs_systemhigh
 +__default__:unconfined_u:s0
-diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 85ff145..77d7bdc 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
-@@ -37,6 +37,7 @@ ubac_file_exempt(sysadm_t)
+@@ -34,6 +34,7 @@ ubac_file_exempt(sysadm_t)
  ubac_fd_exempt(sysadm_t)
  
  init_exec(sysadm_t)
@@ -40,11 +37,9 @@ index 85ff145..77d7bdc 100644
  
  # Add/remove user home directories
  userdom_manage_user_home_dirs(sysadm_t)
-diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index d26fe81..fa46786 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
-@@ -803,11 +803,12 @@ interface(`init_script_file_entry_type',`
+@@ -825,11 +825,12 @@ interface(`init_script_file_entry_type',
  #
  interface(`init_spec_domtrans_script',`
         gen_require(`
@@ -59,7 +54,7 @@ index d26fe81..fa46786 100644
  
         ifdef(`distro_gentoo',`
                 gen_require(`
-@@ -818,11 +819,11 @@ interface(`init_spec_domtrans_script',`
+@@ -840,11 +841,11 @@ interface(`init_spec_domtrans_script',`
         ')
  
         ifdef(`enable_mcs',`
@@ -73,7 +68,7 @@ index d26fe81..fa46786 100644
         ')
  ')
  
-@@ -838,18 +839,19 @@ interface(`init_spec_domtrans_script',`
+@@ -860,18 +861,19 @@ interface(`init_spec_domtrans_script',`
  #
  interface(`init_domtrans_script',`
         gen_require(`
@@ -97,7 +92,7 @@ index d26fe81..fa46786 100644
         ')
  ')
  
-@@ -1792,3 +1794,32 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1837,3 +1839,32 @@ interface(`init_udp_recvfrom_all_daemons
         ')
         corenet_udp_recvfrom_labeled($1, daemon)
  ')
@@ -130,8 +125,6 @@ index d26fe81..fa46786 100644
 +       role_transition $1 init_script_file_type system_r;
 +')
 +
-diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
-index 0280b32..00b4dcf 100644
 --- a/policy/modules/system/unconfined.te
 +++ b/policy/modules/system/unconfined.te
 @@ -20,6 +20,11 @@ type unconfined_execmem_t;
@@ -146,17 +139,15 @@ index 0280b32..00b4dcf 100644
  
  ########################################
  #
-@@ -34,6 +39,8 @@ mcs_killall(unconfined_t)
- mcs_ptrace_all(unconfined_t)
- 
- init_run_daemon(unconfined_t, unconfined_r)
-+init_domtrans_script(unconfined_t)
-+init_script_role_transition(unconfined_r)
- 
- libs_run_ldconfig(unconfined_t, unconfined_r)
- 
-diff --git a/policy/users b/policy/users
-index c4ebc7e..f300f22 100644
+@@ -50,6 +55,8 @@ userdom_user_home_dir_filetrans_user_hom
+ ifdef(`direct_sysadm_daemon',`
+         optional_policy(`
+                 init_run_daemon(unconfined_t, unconfined_r)
++                init_domtrans_script(unconfined_t)
++                init_script_role_transition(unconfined_r)
+         ')
+ ',`
+         ifdef(`distro_gentoo',`
 --- a/policy/users
 +++ b/policy/users
 @@ -15,7 +15,7 @@
@@ -168,7 +159,7 @@ index c4ebc7e..f300f22 100644
  
  #
  # user_u is a generic user identity for Linux users who have no
-@@ -25,11 +25,11 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+@@ -25,14 +25,14 @@ gen_user(system_u,, system_r, s0, s0 - m
  # permit any access to such users, then remove this entry.
  #
  gen_user(user_u, user, user_r, s0, s0)
@@ -178,12 +169,16 @@ index c4ebc7e..f300f22 100644
 +gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
  
  # Until order dependence is fixed for users:
--gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ ifdef(`direct_sysadm_daemon',`
+-        gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
++        gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ ',`
+-        gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
++        gen_user(unconfined_u, user, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ ')
  
  #
- # The following users correspond to Unix identities.
-@@ -38,8 +38,4 @@ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_al
+@@ -42,8 +42,4 @@ ifdef(`direct_sysadm_daemon',`
  # role should use the staff_r role instead of the user_r role when
  # not in the sysadm_r.
  #
@@ -193,6 +188,3 @@ index c4ebc7e..f300f22 100644
 -       gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
 -')
 +gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
--- 
-1.7.1
-
diff --git a/recipes-security/refpolicy/refpolicy-targeted_2.20130424.bb b/recipes-security/refpolicy/refpolicy-targeted_2.20140311.bb
index 1f20caa..b169604 100644
--- a/recipes-security/refpolicy/refpolicy-targeted_2.20130424.bb
+++ b/recipes-security/refpolicy/refpolicy-targeted_2.20140311.bb
@@ -12,8 +12,9 @@ POLICY_NAME = "targeted"
 POLICY_TYPE = "mcs"
 POLICY_MLS_SENS = "0"
 
-PR = "r99"
 include refpolicy_${PV}.inc
 
-SRC_URI += "file://refpolicy-fix-optional-issue-on-sysadm-module.patch \
-        file://refpolicy-unconfined_u-default-user.patch"
+SRC_URI += " \
+            file://refpolicy-fix-optional-issue-on-sysadm-module.patch \
+            file://refpolicy-unconfined_u-default-user.patch \
+           "
diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20140311.inc
index 0e7419d..8894583 100644
--- a/recipes-security/refpolicy/refpolicy_2.20130424.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20140311.inc
@@ -1,8 +1,8 @@
-SRC_URI = "http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2;"
-SRC_URI[md5sum] = "6a5c975258cc8eb92c122f11b11a5085"
-SRC_URI[sha256sum] = "6039ba854f244a39dc727cc7db25632f7b933bb271c803772d754d4354f5aef4"
+SRC_URI = "https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2;"
+SRC_URI[md5sum] = "418f8d2a6ada3a299816153e70970449"
+SRC_URI[sha256sum] = "f69437db95548c78a5dec44c236397146b144153149009ea554d2e536e5436f7"
 
-FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20130424:"
+FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20140311:"
 
 # Fix file contexts for Poky
 SRC_URI += "file://poky-fc-subs_dist.patch \
@@ -49,19 +49,11 @@ SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \
            "
 
 # Other policy fixes 
-SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \
+SRC_URI += " \
             file://poky-policy-fix-seutils-manage-config-files.patch \
             file://poky-policy-fix-setfiles-statvfs-get-file-count.patch \
             file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \
-            file://hostname-do-not-audit-attempts-by-hostname-to-read-a.patch \
-            file://sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch \
             file://ftp-add-ftpd_t-to-mlsfilewrite.patch \
            "
 
-# Backport from upstream
-SRC_URI += "file://Allow-ping-to-get-set-capabilities.patch \
-            file://filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch \
-            file://Allow-udev-the-block_suspend-capability.patch \
-           "
-
 include refpolicy_common.inc
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index abadb2a..0dc055e 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -13,7 +13,7 @@ S = "${WORKDIR}/refpolicy"
 
 FILES_${PN} = " \
         ${sysconfdir}/selinux/${POLICY_NAME}/ \
-        ${@bb.utils.contains('DISTRO_FEATURES', 'compressed_policy', '${datadir}/selinux/${POLICY_NAME}/*.pp.bz2', '${datadir}/selinux/${POLICY_NAME}/*.pp', d)} \
+        ${datadir}/selinux/${POLICY_NAME}/*.pp \
         "
 FILES_${PN}-dev =+ "${datadir}/selinux/${POLICY_NAME}/include/"
 
@@ -69,24 +69,14 @@ prepare_policy_store () {
         mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules
         mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files
         touch ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local
-        if  ${@bb.utils.contains('DISTRO_FEATURES','compressed_policy','true','false',d)}; then
-                for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do
-                        bzip2 $i
-                        if [ "`basename $i`" != "base.pp" ]; then
-                                cp ${i}.bz2 ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i`
-                        else
-                                cp ${i}.bz2 ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/`basename $i`
-                        fi
-                done
-        else
-                bzip2 -c ${D}${datadir}/selinux/${POLICY_NAME}/base.pp  >\
-                        ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
-                for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do
-                        if [ "`basename $i`" != "base.pp" ]; then
-                                bzip2 -c $i > ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i`;
-                        fi
-                done
-        fi
+        for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do
+                bzip2 -f $i && mv -f $i.bz2 $i
+                if [ "`basename $i`" != "base.pp" ]; then
+                        cp $i ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i`
+                else
+                        cp $i ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/`basename $i`
+                fi
+        done
 }
 
 rebuild_policy () {
diff --git a/recipes-security/selinux/checkpolicy.inc b/recipes-security/selinux/checkpolicy.inc
index e0c7377..1a21680 100644
--- a/recipes-security/selinux/checkpolicy.inc
+++ b/recipes-security/selinux/checkpolicy.inc
@@ -11,7 +11,7 @@ LICENSE = "GPLv2+"
 
 DEPENDS += "libsepol libselinux bison-native flex-native"
 
-SRC_URI += "file://checkpolicy-Do-not-link-against-libfl.patch"
+#SRC_URI += "file://checkpolicy-Do-not-link-against-libfl.patch"
 
 EXTRA_OEMAKE += "PREFIX=${D}" 
 EXTRA_OEMAKE += "LEX='flex'"
diff --git a/recipes-security/selinux/checkpolicy_2.2.bb b/recipes-security/selinux/checkpolicy_2.2.bb
deleted file mode 100644
index 23d57c1..0000000
--- a/recipes-security/selinux/checkpolicy_2.2.bb
+++ /dev/null
@@ -1,9 +0,0 @@
-PR = "r99"
-
-include selinux_20131030.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "d76d5c70cd594fdb15f8d319c6536324"
-SRC_URI[sha256sum] = "5d74075379cbaf17135c2a113a3053bd2e7b2a2c54ac04458de652457306c020"
diff --git a/recipes-security/selinux/checkpolicy_2.3.bb b/recipes-security/selinux/checkpolicy_2.3.bb
new file mode 100644
index 0000000..9f68487
--- /dev/null
+++ b/recipes-security/selinux/checkpolicy_2.3.bb
@@ -0,0 +1,7 @@
+include selinux_20140506.inc
+include ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "920f1a048b6023a22e1bae7b40fd413c"
+SRC_URI[sha256sum] = "8072c12121613ba943417bbb6d33224d12373ea19d75c5acd1846a35e0e05b74" 
diff --git a/recipes-security/selinux/libselinux_2.2.2.bb b/recipes-security/selinux/libselinux_2.3.bb
index d6502ad..81e599d 100644
--- a/recipes-security/selinux/libselinux_2.2.2.bb
+++ b/recipes-security/selinux/libselinux_2.3.bb
@@ -1,12 +1,10 @@
-PR = "r99"
-
-include selinux_20131030.inc
+include selinux_20140506.inc
 include ${BPN}.inc
 
 LIC_FILES_CHKSUM = "file://LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0"
 
-SRC_URI[md5sum] = "c13ea5de171f21fee399abfd4aef9481"
-SRC_URI[sha256sum] = "cc8354d67d7bef11fb2a03d23e788c6f4e8510b6760c3778dc7baf6dcfa97539"
+SRC_URI[md5sum] = "d27e249ad8450e7182203134cf4d85e2"
+SRC_URI[sha256sum] = "03fe2baa7ceeea531a64fd321b44ecf09a55f3af5ef66a58a4135944f34e9851"
 
 SRC_URI += "\
         file://libselinux-drop-Wno-unused-but-set-variable.patch \
diff --git a/recipes-security/selinux/libsemanage_2.2.bb b/recipes-security/selinux/libsemanage_2.3.bb
index 1f00d07..5eada94 100644
--- a/recipes-security/selinux/libsemanage_2.2.bb
+++ b/recipes-security/selinux/libsemanage_2.3.bb
@@ -1,12 +1,10 @@
-PR = "r99"
-
-include selinux_20131030.inc
+include selinux_20140506.inc
 include ${BPN}.inc
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"
 
-SRC_URI[md5sum] = "2bb8f4b728a5667519764297b7725c19"
-SRC_URI[sha256sum] = "9b421ce1df10594cb467eef37faeb403d5c6b341a4b7e4b407ac4cb77df95cba"
+SRC_URI[md5sum] = "cc313b400637d94e3a549bf77555d8c3"
+SRC_URI[sha256sum] = "4c984379a98ee9f05b80ff6e57dd2de886273d7136146456cabdce21ac32ed7f"
 
 SRC_URI += "\
         file://libsemanage-Fix-execve-segfaults-on-Ubuntu.patch \
diff --git a/recipes-security/selinux/libsepol_2.2.bb b/recipes-security/selinux/libsepol_2.2.bb
deleted file mode 100644
index a0b7df7..0000000
--- a/recipes-security/selinux/libsepol_2.2.bb
+++ /dev/null
@@ -1,9 +0,0 @@
-PR = "r99"
-
-include selinux_20131030.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"
-
-SRC_URI[md5sum] = "2d43599ed29fea9ef41218ec9635ef64"
-SRC_URI[sha256sum] = "fbd77459fd03979a9020289b10c89a0af56a52bcd0f7ae0a78455713bb04878b"
diff --git a/recipes-security/selinux/libsepol_2.3.bb b/recipes-security/selinux/libsepol_2.3.bb
new file mode 100644
index 0000000..0c07d41
--- /dev/null
+++ b/recipes-security/selinux/libsepol_2.3.bb
@@ -0,0 +1,7 @@
+include selinux_20140506.inc
+include ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"
+
+SRC_URI[md5sum] = "c6b3dc07bf19ab4f364f21bbecb44beb"
+SRC_URI[sha256sum] = "5a4481bfd0fad6fdad1511c786d69de1fc3eddc28154eae1691e1bf4e9e505c3"
diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils.inc
index 153b688..44a5861 100644
--- a/recipes-security/selinux/policycoreutils.inc
+++ b/recipes-security/selinux/policycoreutils.inc
@@ -211,7 +211,7 @@ FILES_${PN}-setsebool += "\
 FILES_system-config-selinux = " \
     ${bindir}/sepolgen \
     ${datadir}/system-config-selinux/* \
-    ${datadir}/icons/hicolor/24x24/apps/system-config-selinux.png \
+    ${datadir}/icons/hicolor/ \
     ${datadir}/polkit-1/actions/org.selinux.config.policy \
 "
 
diff --git a/recipes-security/selinux/policycoreutils_2.2.5.bb b/recipes-security/selinux/policycoreutils_2.3.bb
index 96cf354..447e6c9 100644
--- a/recipes-security/selinux/policycoreutils_2.2.5.bb
+++ b/recipes-security/selinux/policycoreutils_2.3.bb
@@ -1,12 +1,10 @@
-PR = "r99"
-
-include selinux_20131030.inc
+include selinux_20140506.inc
 include ${BPN}.inc
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
 
-SRC_URI[md5sum] = "f330a90c566c8b564858d45399ce3dd1"
-SRC_URI[sha256sum] = "3d2c8806742004693c2d4726abbc4f412340ee07bed407976dd8abeda09a4333"
+SRC_URI[md5sum] = "4f5c508e3c3867c8beb343e993d353dd"
+SRC_URI[sha256sum] = "11e8815ac13debb87897d2781381b89ec5c6c746a3d44223a493bc7ace6cc71f"
 
 SRC_URI += "\
         file://policycoreutils-fix-sepolicy-install-path.patch \
diff --git a/recipes-security/selinux/selinux_20131030.inc b/recipes-security/selinux/selinux_20140506.inc
index 01cc52f..01cc52f 100644
--- a/recipes-security/selinux/selinux_20131030.inc
+++ b/recipes-security/selinux/selinux_20140506.inc
diff --git a/recipes-security/selinux/selinux_git.inc b/recipes-security/selinux/selinux_git.inc
index d56f25b..6112d7d 100644
--- a/recipes-security/selinux/selinux_git.inc
+++ b/recipes-security/selinux/selinux_git.inc
@@ -1,6 +1,6 @@
 SRCREV = "edc2e99687b050d5be21a78a66d038aa1fc068d9"
 
-SRC_URI = "git://oss.tresys.com/git/selinux.git;protocol=http"
+SRC_URI = "git://github.com/SELinuxProject/selinux.git;protocol=http"
 
 include selinux_common.inc
 
diff --git a/recipes-security/selinux/sepolgen_1.2.1.bb b/recipes-security/selinux/sepolgen_1.2.1.bb
index 21dff41..b47ff26 100644
--- a/recipes-security/selinux/sepolgen_1.2.1.bb
+++ b/recipes-security/selinux/sepolgen_1.2.1.bb
@@ -1,6 +1,4 @@
-PR = "r99"
-
-include selinux_20131030.inc
+include selinux_20140506.inc
 include ${BPN}.inc
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
diff --git a/recipes-security/setools/setools/setools-Changes-to-support-named-file_trans-rules.patch b/recipes-security/setools/setools/setools-Changes-to-support-named-file_trans-rules.patch
deleted file mode 100644
index d44ae21..0000000
--- a/recipes-security/setools/setools/setools-Changes-to-support-named-file_trans-rules.patch
+++ /dev/null
@@ -1,1511 +0,0 @@
-From e0f74aa934140ccc6f5a51aa2df6fd19f0c0ee08 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Wed, 7 Mar 2012 11:00:19 +0800
-Subject: [PATCH 5/7] setools: Changes to support named file_trans rules
-
-Integrated from Fedora:
-https://community.dev.fedoraproject.org/packages/setools/sources/patches/
----
- libapol/include/apol/Makefile.am    |    1 +
- libapol/include/apol/ftrule-query.h |  198 +++++++++++++++++++
- libapol/include/apol/policy-query.h |    1 +
- libapol/src/Makefile.am             |    1 +
- libapol/src/ftrule-query.c          |  363 +++++++++++++++++++++++++++++++++++
- libapol/src/libapol.map             |    1 +
- libqpol/include/qpol/Makefile.am    |    1 +
- libqpol/include/qpol/ftrule_query.h |  116 +++++++++++
- libqpol/include/qpol/policy.h       |    1 +
- libqpol/src/Makefile.am             |    1 +
- libqpol/src/ftrule_query.c          |  277 ++++++++++++++++++++++++++
- libqpol/src/libqpol.map             |    1 +
- libqpol/src/module_compiler.c       |   12 ++
- libqpol/src/policy_define.c         |  186 ++++++++++++++++++-
- libqpol/src/policy_parse.y          |   13 +-
- libqpol/src/policy_scan.l           |    1 +
- secmds/sesearch.c                   |  101 ++++++++++
- 17 files changed, 1272 insertions(+), 3 deletions(-)
- create mode 100644 libapol/include/apol/ftrule-query.h
- create mode 100644 libapol/src/ftrule-query.c
- create mode 100644 libqpol/include/qpol/ftrule_query.h
- create mode 100644 libqpol/src/ftrule_query.c
-
-diff --git a/libapol/include/apol/Makefile.am b/libapol/include/apol/Makefile.am
-index 0883c10..e398ff2 100644
---- a/libapol/include/apol/Makefile.am
-+++ b/libapol/include/apol/Makefile.am
-@@ -27,6 +27,7 @@ apol_HEADERS = \
-        relabel-analysis.h \
-        render.h \
-        role-query.h \
-+       ftrule-query.h \
-        terule-query.h \
-        type-query.h \
-        types-relation-analysis.h \
-diff --git a/libapol/include/apol/ftrule-query.h b/libapol/include/apol/ftrule-query.h
-new file mode 100644
-index 0000000..119c52f
---- /dev/null
-+++ b/libapol/include/apol/ftrule-query.h
-@@ -0,0 +1,198 @@
-+/**
-+ * @file
-+ *
-+ * Routines to query filename_transition rules of a
-+ * policy.  
-+ *
-+ * @author Jeremy A. Mowery jmowery@tresys.com
-+ * @author Jason Tang  jtang@tresys.com
-+ *
-+ * Copyright (C) 2006-2007 Tresys Technology, LLC
-+ *
-+ *  This library is free software; you can redistribute it and/or
-+ *  modify it under the terms of the GNU Lesser General Public
-+ *  License as published by the Free Software Foundation; either
-+ *  version 2.1 of the License, or (at your option) any later version.
-+ *
-+ *  This library is distributed in the hope that it will be useful,
-+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+ *  Lesser General Public License for more details.
-+ *
-+ *  You should have received a copy of the GNU Lesser General Public
-+ *  License along with this library; if not, write to the Free Software
-+ *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-+ */
-+
-+#ifndef APOL_FILENAMERULE_QUERY_H
-+#define APOL_FILENAMERULE_QUERY_H
-+
-+#ifdef __cplusplus
-+extern "C"
-+{
-+#endif
-+
-+#include "policy.h"
-+#include "vector.h"
-+#include <qpol/policy.h>
-+
-+       typedef struct apol_filename_trans_query apol_filename_trans_query_t;
-+
-+
-+/******************** filename_transition queries ********************/
-+
-+/**
-+ * Execute a query against all filename_transition rules within the
-+ * policy.
-+ *
-+ * @param p Policy within which to look up filename_transition rules.
-+ * @param r Structure containing parameters for query. If this is
-+ * NULL then return all filename_transition rules.
-+ * @param v Reference to a vector of qpol_filename_trans_t.  The vector
-+ * will be allocated by this function.  The caller must call
-+ * apol_vector_destroy() afterwards.  This will be set to NULL upon no
-+ * results or upon error.
-+ *
-+ * @return 0 on success (including none found), negative on error.
-+ */
-+       extern int apol_filename_trans_get_by_query(const apol_policy_t * p, const apol_filename_trans_query_t * r, apol_vector_t ** v);
-+
-+/**
-+ * Allocate and return a new filename trans query structure.  All fields
-+ * are initialized, such that running this blank query results in
-+ * returning all filename_transitions within the policy.  The caller must
-+ * call apol_filename_trans_query_destroy() upon the return value
-+ * afterwards.
-+ *
-+ * @return An initialized filename trans query structure, or NULL upon
-+ * error.
-+ */
-+       extern apol_filename_trans_query_t *apol_filename_trans_query_create(void);
-+
-+/**
-+ * Deallocate all memory associated with the referenced filename trans
-+ * query, and then set it to NULL.  This function does nothing if the
-+ * query is already NULL.
-+ *
-+ * @param r Reference to a filename trans query structure to destroy.
-+ */
-+       extern void apol_filename_trans_query_destroy(apol_filename_trans_query_t ** r);
-+
-+/**
-+ * Set a filename_trans query to return rules whose source symbol matches
-+ * symbol.  Symbol may be a type or attribute; if it is an alias then
-+ * the query will convert it to its primary prior to searching.  If
-+ * is_indirect is non-zero then the search will be done indirectly.
-+ * If the symbol is a type, then the query matches rules with one of
-+ * the type's attributes.  If the symbol is an attribute, then it
-+ * matches rule with any of the attribute's types.
-+ *
-+ * @param p Policy handler, to report errors.
-+ * @param t TE rule query to set.
-+ * @param symbol Limit query to rules with this symbol as their
-+ * source, or NULL to unset this field.
-+ * @param is_indirect If non-zero, perform indirect matching.
-+ *
-+ * @return 0 on success, negative on error.
-+ */
-+       extern int apol_filename_trans_query_set_source(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *symbol,
-+                                               int is_indirect);
-+
-+/**
-+ * Set a filename trans query to return rules with a particular target
-+ * symbol.  Symbol may be a type or attribute; if it is an alias then
-+ * the query will convert it to its primary prior to searching.  If
-+ * is_indirect is non-zero then the search will be done indirectly.
-+ * If the symbol is a type, then the query matches rules with one of
-+ * the type's attributes.  If the symbol is an attribute, then it
-+ * matches rule with any of the attribute's types.
-+ *
-+ * @param p Policy handler, to report errors.
-+ * @param r Role trans query to set.
-+ * @param symbol Limit query to rules with this type or attribute as
-+ * their target, or NULL to unset this field.
-+ * @param is_indirect If non-zero, perform indirect matching.
-+ *
-+ * @return 0 on success, negative on error.
-+ */
-+       extern int apol_filename_trans_query_set_target(const apol_policy_t * p, apol_filename_trans_query_t * r, const char *symbol,
-+                                                   int is_indirect);
-+
-+/**
-+ * Set a filename trans query to return rules with a particular default
-+ * filename.  This field is ignored if
-+ * apol_filename_trans_query_set_source_any() is set to non-zero.
-+ *
-+ * @param p Policy handler, to report errors.
-+ * @param r Role trans query to set.
-+ * @param filename Limit query to rules with this filename as their default, or
-+ * NULL to unset this field.
-+ *
-+ * @return 0 on success, negative on error.
-+ */
-+       extern int apol_filename_trans_query_set_default(const apol_policy_t * p, apol_filename_trans_query_t * r, const char *filename);
-+
-+/**
-+ * Set at filename_trans query to return rules with this object (non-common)
-+ * class.  If more than one class are appended to the query, the
-+ * rule's class must be one of those appended.  (I.e., the rule's
-+ * class must be a member of the query's classes.)  Pass a NULL to
-+ * clear all classes.  Note that this performs straight string
-+ * comparison, ignoring the regex flag.
-+
-+ *
-+ * @param p Policy handler, to report errors.
-+ * @param t TE rule query to set.
-+ * @param obj_class Name of object class to add to search set.
-+ *
-+ * @return 0 on success, negative on error.
-+ */
-+       extern int apol_filename_trans_query_append_class(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *obj_class);
-+
-+/**
-+ * Set a filename trans query to treat the source filename as any.  That is,
-+ * use the same symbol for either source or default of a
-+ * filename_transition rule.  This flag does nothing if the source filename is
-+ * not set.  Note that a filename_transition's target is a type, so thus
-+ * this flag does not affect its searching.
-+ *
-+ * @param p Policy handler, to report errors.
-+ * @param r Role trans query to set.
-+ * @param is_any Non-zero to use source symbol for source or default
-+ * field, 0 to keep source as only source.
-+ *
-+ * @return Always 0.
-+ */
-+       extern int apol_filename_trans_query_set_source_any(const apol_policy_t * p, apol_filename_trans_query_t * r, int is_any);
-+
-+/**
-+ * Set a filename trans query to use regular expression searching for
-+ * source, target, and default fields.  Strings will be treated as
-+ * regexes instead of literals.  For the target type, matching will
-+ * occur against the type name or any of its aliases.
-+ *
-+ * @param p Policy handler, to report errors.
-+ * @param r Role trans query to set.
-+ * @param is_regex Non-zero to enable regex searching, 0 to disable.
-+ *
-+ * @return Always 0.
-+ */
-+       extern int apol_filename_trans_query_set_regex(const apol_policy_t * p, apol_filename_trans_query_t * r, int is_regex);
-+
-+/**
-+ *  Render a filename_transition rule to a string.
-+ *
-+ *  @param policy Policy handler, to report errors.
-+ *  @param rule The rule to render.
-+ *
-+ *  @return A newly malloc()'d string representation of the rule, or NULL on
-+ *  failure; if the call fails, errno will be set. The caller is responsible
-+ *  for calling free() on the returned string.
-+ */
-+       extern char *apol_filename_trans_render(const apol_policy_t * policy, const qpol_filename_trans_t * rule);
-+
-+#ifdef __cplusplus
-+}
-+#endif
-+
-+#endif
-diff --git a/libapol/include/apol/policy-query.h b/libapol/include/apol/policy-query.h
-index 315f70e..665e4cb 100644
---- a/libapol/include/apol/policy-query.h
-+++ b/libapol/include/apol/policy-query.h
-@@ -71,6 +71,7 @@ extern "C"
- #include "terule-query.h"
- #include "condrule-query.h"
- #include "rbacrule-query.h"
-+#include "ftrule-query.h"
- #include "range_trans-query.h"
- #include "constraint-query.h"
- 
-diff --git a/libapol/src/Makefile.am b/libapol/src/Makefile.am
-index 3fa4f06..baaa4f6 100644
---- a/libapol/src/Makefile.am
-+++ b/libapol/src/Makefile.am
-@@ -40,6 +40,7 @@ libapol_a_SOURCES = \
-        render.c \
-        role-query.c \
-        terule-query.c \
-+       ftrule-query.c \
-        type-query.c \
-        types-relation-analysis.c \
-        user-query.c \
-diff --git a/libapol/src/ftrule-query.c b/libapol/src/ftrule-query.c
-new file mode 100644
-index 0000000..dc248de
---- /dev/null
-+++ b/libapol/src/ftrule-query.c
-@@ -0,0 +1,363 @@
-+/**
-+ * @file
-+ *
-+ * Provides a way for setools to make queries about type enforcement
-+ * filename_transs within a policy.  The caller obtains a query object, fills in
-+ * its parameters, and then runs the query; it obtains a vector of
-+ * results.  Searches are conjunctive -- all fields of the search
-+ * query must match for a datum to be added to the results query.
-+ *
-+ * @author Jeremy A. Mowery jmowery@tresys.com
-+ * @author Jason Tang  jtang@tresys.com
-+ *
-+ * Copyright (C) 2006-2007 Tresys Technology, LLC
-+ *
-+ *  This library is free software; you can redistribute it and/or
-+ *  modify it under the terms of the GNU Lesser General Public
-+ *  License as published by the Free Software Foundation; either
-+ *  version 2.1 of the License, or (at your option) any later version.
-+ *
-+ *  This library is distributed in the hope that it will be useful,
-+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+ *  Lesser General Public License for more details.
-+ *
-+ *  You should have received a copy of the GNU Lesser General Public
-+ *  License along with this library; if not, write to the Free Software
-+ *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-+ */
-+
-+#include "policy-query-internal.h"
-+
-+#include <errno.h>
-+#include <string.h>
-+
-+struct apol_filename_trans_query
-+{
-+       char *source, *target, *default_type, *name;
-+       apol_vector_t *classes;
-+       unsigned int flags;
-+};
-+
-+
-+/******************** filename_transition queries ********************/
-+
-+int apol_filename_trans_get_by_query(const apol_policy_t * p, const apol_filename_trans_query_t * t, apol_vector_t ** v)
-+{
-+       apol_vector_t *source_list = NULL, *target_list = NULL, *class_list = NULL, *default_list = NULL;
-+       int retval = -1, source_as_any = 0, is_regex = 0, append_filename_trans;
-+       char *bool_name = NULL;
-+       *v = NULL;
-+       unsigned int flags = 0;
-+       qpol_iterator_t *iter = NULL, *type_iter = NULL;
-+
-+       if (t != NULL) {
-+               flags = t->flags;
-+               is_regex = t->flags & APOL_QUERY_REGEX;
-+               if (t->source != NULL &&
-+                   (source_list =
-+                    apol_query_create_candidate_type_list(p, t->source, is_regex,
-+                                                          t->flags & APOL_QUERY_SOURCE_INDIRECT,
-+                                                          ((t->flags & (APOL_QUERY_SOURCE_TYPE | APOL_QUERY_SOURCE_ATTRIBUTE)) /
-+                                                           APOL_QUERY_SOURCE_TYPE))) == NULL) {
-+                       goto cleanup;
-+               }
-+
-+               if ((t->flags & APOL_QUERY_SOURCE_AS_ANY) && t->source != NULL) {
-+                       default_list = target_list = source_list;
-+                       source_as_any = 1;
-+               } else {
-+                       if (t->target != NULL &&
-+                           (target_list =
-+                            apol_query_create_candidate_type_list(p, t->target, is_regex,
-+                                                                  t->flags & APOL_QUERY_TARGET_INDIRECT,
-+                                                                  ((t->
-+                                                                    flags & (APOL_QUERY_TARGET_TYPE | APOL_QUERY_TARGET_ATTRIBUTE))
-+                                                                   / APOL_QUERY_TARGET_TYPE))) == NULL) {
-+                               goto cleanup;
-+                       }
-+                       if (t->default_type != NULL &&
-+                           (default_list =
-+                            apol_query_create_candidate_type_list(p, t->default_type, is_regex, 0,
-+                                                                  APOL_QUERY_SYMBOL_IS_TYPE)) == NULL) {
-+                               goto cleanup;
-+                       }
-+               }
-+               if (t->classes != NULL &&
-+                   apol_vector_get_size(t->classes) > 0 &&
-+                   (class_list = apol_query_create_candidate_class_list(p, t->classes)) == NULL) {
-+                       goto cleanup;
-+               }
-+       }
-+
-+       if (qpol_policy_get_filename_trans_iter(p->p, &iter) < 0) {
-+               return -1;
-+       }
-+
-+       if ((*v = apol_vector_create(NULL)) == NULL) {
-+               ERR(p, "%s", strerror(errno));
-+               goto cleanup;
-+       }
-+
-+       for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
-+               qpol_filename_trans_t *filename_trans;
-+               if (qpol_iterator_get_item(iter, (void **)&filename_trans) < 0) {
-+                       goto cleanup;
-+               }
-+               int match_source = 0, match_target = 0, match_default = 0, match_bool = 0;
-+               size_t i;
-+
-+               if (source_list == NULL) {
-+                       match_source = 1;
-+               } else {
-+                       const qpol_type_t *source_type;
-+                       if (qpol_filename_trans_get_source_type(p->p, filename_trans, &source_type) < 0) {
-+                               goto cleanup;
-+                       }
-+                       if (apol_vector_get_index(source_list, source_type, NULL, NULL, &i) == 0) {
-+                               match_source = 1;
-+                       }
-+               }
-+
-+               /* if source did not match, but treating source symbol
-+                * as any field, then delay rejecting this filename_trans until
-+                * the target and default have been checked */
-+               if (!source_as_any && !match_source) {
-+                       continue;
-+               }
-+
-+               if (target_list == NULL || (source_as_any && match_source)) {
-+                       match_target = 1;
-+               } else {
-+                       const qpol_type_t *target_type;
-+                       if (qpol_filename_trans_get_target_type(p->p, filename_trans, &target_type) < 0) {
-+                               goto cleanup;
-+                       }
-+                       if (apol_vector_get_index(target_list, target_type, NULL, NULL, &i) == 0) {
-+                               match_target = 1;
-+                       }
-+               }
-+
-+               if (!source_as_any && !match_target) {
-+                       continue;
-+               }
-+
-+               if (default_list == NULL || (source_as_any && match_source) || (source_as_any && match_target)) {
-+                       match_default = 1;
-+               } else {
-+                       const qpol_type_t *default_type;
-+                       if (qpol_filename_trans_get_default_type(p->p, filename_trans, &default_type) < 0) {
-+                               goto cleanup;
-+                       }
-+                       if (apol_vector_get_index(default_list, default_type, NULL, NULL, &i) == 0) {
-+                               match_default = 1;
-+                       }
-+               }
-+
-+               if (!source_as_any && !match_default) {
-+                       continue;
-+               }
-+               /* at least one thing must match if source_as_any was given */
-+               if (source_as_any && (!match_source && !match_target && !match_default)) {
-+                       continue;
-+               }
-+
-+               if (class_list != NULL) {
-+                       const qpol_class_t *obj_class;
-+                       if (qpol_filename_trans_get_object_class(p->p, filename_trans, &obj_class) < 0) {
-+                               goto cleanup;
-+                       }
-+                       if (apol_vector_get_index(class_list, obj_class, NULL, NULL, &i) < 0) {
-+                               continue;
-+                       }
-+               }
-+
-+               if (apol_vector_append(*v, filename_trans)) {
-+                       ERR(p, "%s", strerror(ENOMEM));
-+                       goto cleanup;
-+               }
-+       }
-+
-+       retval = 0;
-+      cleanup:
-+       if (retval != 0) {
-+               apol_vector_destroy(v);
-+       }
-+       apol_vector_destroy(&source_list);
-+       if (!source_as_any) {
-+               apol_vector_destroy(&target_list);
-+               apol_vector_destroy(&default_list);
-+       }
-+       apol_vector_destroy(&class_list);
-+       return retval;
-+}
-+
-+apol_filename_trans_query_t *apol_filename_trans_query_create(void)
-+{
-+       apol_filename_trans_query_t *t = calloc(1, sizeof(apol_filename_trans_query_t));
-+       if (t != NULL) {
-+               t->flags =
-+                       (APOL_QUERY_SOURCE_TYPE | APOL_QUERY_SOURCE_ATTRIBUTE | APOL_QUERY_TARGET_TYPE |
-+                        APOL_QUERY_TARGET_ATTRIBUTE);
-+       }
-+       return t;
-+}
-+
-+void apol_filename_trans_query_destroy(apol_filename_trans_query_t ** r)
-+{
-+       if (r != NULL && *r != NULL) {
-+               free((*r)->source);
-+               free((*r)->target);
-+               free((*r)->default_type);
-+               free((*r)->name);
-+               free(*r);
-+               *r = NULL;
-+       }
-+}
-+
-+int apol_filename_trans_query_set_source(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *filename, int is_indirect)
-+{
-+       apol_query_set_flag(p, &t->flags, is_indirect, APOL_QUERY_TARGET_INDIRECT);
-+       return apol_query_set(p, &t->source, NULL, filename);
-+}
-+
-+int apol_filename_trans_query_set_target(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *type, int is_indirect)
-+{
-+       apol_query_set_flag(p, &t->flags, is_indirect, APOL_QUERY_TARGET_INDIRECT);
-+       return apol_query_set(p, &t->target, NULL, type);
-+}
-+
-+int apol_filename_trans_query_set_default(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *symbol)
-+{
-+       return apol_query_set(p, &t->default_type, NULL, symbol);
-+}
-+
-+int apol_filename_trans_query_append_class(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *obj_class)
-+{
-+       char *s = NULL;
-+       if (obj_class == NULL) {
-+               apol_vector_destroy(&t->classes);
-+       } else if ((s = strdup(obj_class)) == NULL || (t->classes == NULL && (t->classes = apol_vector_create(free)) == NULL)
-+                  || apol_vector_append(t->classes, s) < 0) {
-+               ERR(p, "%s", strerror(errno));
-+               free(s);
-+               return -1;
-+       }
-+       return 0;
-+}
-+
-+int apol_filename_trans_query_set_name(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *filename)
-+{
-+       return apol_query_set(p, &t->name, NULL, filename);
-+}
-+
-+int apol_filename_trans_query_set_source_any(const apol_policy_t * p, apol_filename_trans_query_t * t, int is_any)
-+{
-+       return apol_query_set_flag(p, &t->flags, is_any, APOL_QUERY_SOURCE_AS_ANY);
-+}
-+
-+int apol_filename_trans_query_set_regex(const apol_policy_t * p, apol_filename_trans_query_t * t, int is_regex)
-+{
-+       return apol_query_set_regex(p, &t->flags, is_regex);
-+}
-+
-+char *apol_filename_trans_render(const apol_policy_t * policy, const qpol_filename_trans_t * filename_trans)
-+{
-+       char *tmp = NULL;
-+       const char *tmp_name = NULL;
-+       const char *filename_trans_type_str;
-+       int error = 0;
-+       size_t tmp_sz = 0;
-+       uint32_t filename_trans_type = 0;
-+       const qpol_type_t *type = NULL;
-+       const qpol_class_t *obj_class = NULL;
-+
-+       if (!policy || !filename_trans) {
-+               ERR(policy, "%s", strerror(EINVAL));
-+               errno = EINVAL;
-+               return NULL;
-+       }
-+
-+       /* source type */
-+       if (qpol_filename_trans_get_source_type(policy->p, filename_trans, &type)) {
-+               error = errno;
-+               goto err;
-+       }
-+       if (qpol_type_get_name(policy->p, type, &tmp_name)) {
-+               error = errno;
-+               goto err;
-+       }
-+       if (apol_str_appendf(&tmp, &tmp_sz, "transition_type %s ", tmp_name)) {
-+               error = errno;
-+               ERR(policy, "%s", strerror(error));
-+               goto err;
-+       }
-+
-+       /* target type */
-+       if (qpol_filename_trans_get_target_type(policy->p, filename_trans, &type)) {
-+               error = errno;
-+               goto err;
-+       }
-+       if (qpol_type_get_name(policy->p, type, &tmp_name)) {
-+               error = errno;
-+               goto err;
-+       }
-+       if (apol_str_appendf(&tmp, &tmp_sz, "%s : ", tmp_name)) {
-+               error = errno;
-+               ERR(policy, "%s", strerror(error));
-+               goto err;
-+       }
-+
-+       /* object class */
-+       if (qpol_filename_trans_get_object_class(policy->p, filename_trans, &obj_class)) {
-+               error = errno;
-+               goto err;
-+       }
-+       if (qpol_class_get_name(policy->p, obj_class, &tmp_name)) {
-+               error = errno;
-+               goto err;
-+       }
-+       if (apol_str_appendf(&tmp, &tmp_sz, "%s ", tmp_name)) {
-+               error = errno;
-+               ERR(policy, "%s", strerror(error));
-+               goto err;
-+       }
-+
-+       /* default type */
-+       if (qpol_filename_trans_get_default_type(policy->p, filename_trans, &type)) {
-+               error = errno;
-+               goto err;
-+       }
-+       if (qpol_type_get_name(policy->p, type, &tmp_name)) {
-+               error = errno;
-+               goto err;
-+       }
-+       if (apol_str_appendf(&tmp, &tmp_sz, "%s", tmp_name)) {
-+               error = errno;
-+               ERR(policy, "%s", strerror(error));
-+               goto err;
-+       }
-+
-+       if (qpol_filename_trans_get_filename(policy->p, filename_trans, &tmp_name)) {
-+               error = errno;
-+               goto err;
-+       }
-+
-+       if (apol_str_appendf(&tmp, &tmp_sz, " %s", tmp_name)) {
-+               error = errno;
-+               ERR(policy, "%s", strerror(error));
-+               goto err;
-+       }
-+
-+       if (apol_str_appendf(&tmp, &tmp_sz, ";")) {
-+               error = errno;
-+               ERR(policy, "%s", strerror(error));
-+               goto err;
-+       }
-+       return tmp;
-+
-+      err:
-+       free(tmp);
-+       errno = error;
-+       return NULL;
-+}
-diff --git a/libapol/src/libapol.map b/libapol/src/libapol.map
-index 4894374..7657a2d 100644
---- a/libapol/src/libapol.map
-+++ b/libapol/src/libapol.map
-@@ -34,6 +34,7 @@ VERS_4.0{
-                apol_protocol_to_str;
-                apol_qpol_context_render;
-                apol_range_trans_*;
-+               apol_filename_trans_*;
-                apol_relabel_*;
-                apol_role_*;
-                apol_role_allow_*;
-diff --git a/libqpol/include/qpol/Makefile.am b/libqpol/include/qpol/Makefile.am
-index b55acb7..9b570e1 100644
---- a/libqpol/include/qpol/Makefile.am
-+++ b/libqpol/include/qpol/Makefile.am
-@@ -25,6 +25,7 @@ qpol_HEADERS = \
-        role_query.h \
-        syn_rule_query.h \
-        terule_query.h \
-+       ftrule_query.h \
-        type_query.h \
-        user_query.h \
-        util.h
-diff --git a/libqpol/include/qpol/ftrule_query.h b/libqpol/include/qpol/ftrule_query.h
-new file mode 100644
-index 0000000..1f533a4
---- /dev/null
-+++ b/libqpol/include/qpol/ftrule_query.h
-@@ -0,0 +1,116 @@
-+/**
-+ *  @file
-+ *  Defines public interface for iterating over FTRULE rules.
-+ *
-+ *  @author Kevin Carr kcarr@tresys.com
-+ *  @author Jeremy A. Mowery jmowery@tresys.com
-+ *  @author Jason Tang jtang@tresys.com
-+ *
-+ *  Copyright (C) 2006-2007 Tresys Technology, LLC
-+ *
-+ *  This library is free software; you can redistribute it and/or
-+ *  modify it under the terms of the GNU Lesser General Public
-+ *  License as published by the Free Software Foundation; either
-+ *  version 2.1 of the License, or (at your option) any later version.
-+ *
-+ *  This library is distributed in the hope that it will be useful,
-+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+ *  Lesser General Public License for more details.
-+ *
-+ *  You should have received a copy of the GNU Lesser General Public
-+ *  License along with this library; if not, write to the Free Software
-+ *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-+ */
-+
-+#ifndef QPOL_FTRULERULE_QUERY
-+#define QPOL_FTRULERULE_QUERY
-+
-+#ifdef __cplusplus
-+extern "C"
-+{
-+#endif
-+
-+#include <qpol/policy.h>
-+#include <qpol/iterator.h>
-+
-+       typedef struct qpol_filename_trans qpol_filename_trans_t;
-+
-+/**
-+ *  Get an iterator over all filename transition rules in the policy.
-+ *  @param policy Policy from which to create the iterator.
-+ *  @param iter Iterator over items of type qpol_filename_trans_t returned.
-+ *  The caller is responsible for calling qpol_iterator_destroy()
-+ *  to free memory used by this iterator.
-+ *  It is important to note that this iterator is only valid as long as
-+ *  the policy is unmodifed.
-+ *  @returm 0 on success and < 0 on failure; if the call fails,
-+ *  errno will be set and *iter will be NULL.
-+ */
-+       extern int qpol_policy_get_filename_trans_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter);
-+
-+/**
-+ *  Get the source type from a filename transition rule.
-+ *  @param policy The policy from which the rule comes.
-+ *  @param rule The rule from which to get the source type.
-+ *  @param source Pointer in which to store the source type.
-+ *  The caller should not free this pointer.
-+ *  @return 0 on success and < 0 on failure; if the call fails,
-+ *  errno will be set and *source will be NULL.
-+ */
-+       extern int qpol_filename_trans_get_source_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule,
-+                                                  const qpol_type_t ** source);
-+
-+/**
-+ *  Get the target type from a filename transition rule.
-+ *  @param policy The policy from which the rule comes.
-+ *  @param rule The rule from which to get the target type.
-+ *  @param target Pointer in which to store the target type.
-+ *  The caller should not free this pointer.
-+ *  @return 0 on success and < 0 on failure; if the call fails,
-+ *  errno will be set and *target will be NULL.
-+ */
-+       extern int qpol_filename_trans_get_target_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule,
-+                                                  const qpol_type_t ** target);
-+
-+/**
-+ *  Get the default type from a type rule.
-+ *  @param policy Policy from which the rule comes.
-+ *  @param rule The rule from which to get the default type.
-+ *  @param dflt Pointer in which to store the default type.
-+ *  The caller should not free this pointer.
-+ *  @returm 0 on success and < 0 on failure; if the call fails,
-+ *  errno will be set and *dflt will be NULL.
-+ */
-+       extern int qpol_filename_trans_get_default_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule,
-+                                               const qpol_type_t ** dflt);
-+
-+/**
-+ *  Get the object class from a type rule.
-+ *  @param policy Policy from which the rule comes.
-+ *  @param rule The rule from which to get the object class.
-+ *  @param obj_class Pointer in which to store the object class.
-+ *  The caller should not free this pointer.
-+ *  @returm 0 on success and < 0 on failure; if the call fails,
-+ *  errno will be set and *obj_class will be NULL.
-+ */
-+       extern int qpol_filename_trans_get_object_class(const qpol_policy_t * policy, const qpol_filename_trans_t * rule,
-+                                               const qpol_class_t ** obj_class);
-+
-+/**
-+ *  Get the transition filename type from a type rule.
-+ *  @param policy Policy from which the rule comes.
-+ *  @param rule The rule from which to get the transition filename.
-+ *  @param target Pointer in which to store the transition filename.
-+ *  The caller should not free this pointer.
-+ *  @returm 0 on success and < 0 on failure; if the call fails,
-+ *  errno will be set and *target will be NULL.
-+ */
-+       extern int qpol_filename_trans_get_filename(const qpol_policy_t * policy, const qpol_filename_trans_t * rule,
-+                                                      const char ** name);
-+
-+#ifdef __cplusplus
-+}
-+#endif
-+
-+#endif                                /* QPOL_FTRULERULE_QUERY */
-diff --git a/libqpol/include/qpol/policy.h b/libqpol/include/qpol/policy.h
-index ae4ea08..bf85718 100644
---- a/libqpol/include/qpol/policy.h
-+++ b/libqpol/include/qpol/policy.h
-@@ -55,6 +55,7 @@ extern "C"
- #include <qpol/polcap_query.h>
- #include <qpol/portcon_query.h>
- #include <qpol/rbacrule_query.h>
-+#include <qpol/ftrule_query.h>
- #include <qpol/role_query.h>
- #include <qpol/syn_rule_query.h>
- #include <qpol/terule_query.h>
-diff --git a/libqpol/src/Makefile.am b/libqpol/src/Makefile.am
-index 34d87a6..0889a61 100644
---- a/libqpol/src/Makefile.am
-+++ b/libqpol/src/Makefile.am
-@@ -48,6 +48,7 @@ libqpol_a_SOURCES = \
-        syn_rule_internal.h \
-        syn_rule_query.c \
-        terule_query.c \
-+       ftrule_query.c \
-        type_query.c \
-        user_query.c \
-        util.c \
-diff --git a/libqpol/src/ftrule_query.c b/libqpol/src/ftrule_query.c
-new file mode 100644
-index 0000000..d6db848
---- /dev/null
-+++ b/libqpol/src/ftrule_query.c
-@@ -0,0 +1,277 @@
-+/**
-+ *  @file
-+ *  Defines public interface for iterating over RBAC rules.
-+ *
-+ *  @author Jeremy A. Mowery jmowery@tresys.com
-+ *  @author Jason Tang jtang@tresys.com
-+ *
-+ *  Copyright (C) 2006-2007 Tresys Technology, LLC
-+ *
-+ *  This library is free software; you can redistribute it and/or
-+ *  modify it under the terms of the GNU Lesser General Public
-+ *  License as published by the Free Software Foundation; either
-+ *  version 2.1 of the License, or (at your option) any later version.
-+ *
-+ *  This library is distributed in the hope that it will be useful,
-+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+ *  Lesser General Public License for more details.
-+ *
-+ *  You should have received a copy of the GNU Lesser General Public
-+ *  License along with this library; if not, write to the Free Software
-+ *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-+ */
-+
-+#include <qpol/iterator.h>
-+#include <qpol/policy.h>
-+#include <qpol/ftrule_query.h>
-+#include <stdlib.h>
-+#include "iterator_internal.h"
-+#include "qpol_internal.h"
-+#include <sepol/policydb/policydb.h>
-+
-+typedef struct filename_trans_state
-+{
-+       filename_trans_t *head;
-+       filename_trans_t *cur;
-+} filename_trans_state_t;
-+
-+static int filename_trans_state_end(const qpol_iterator_t * iter)
-+{
-+       filename_trans_state_t *fts = NULL;
-+
-+       if (!iter || !(fts = qpol_iterator_state(iter))) {
-+               errno = EINVAL;
-+               return STATUS_ERR;
-+       }
-+
-+       return fts->cur ? 0 : 1;
-+}
-+
-+static void *filename_trans_state_get_cur(const qpol_iterator_t * iter)
-+{
-+       filename_trans_state_t *fts = NULL;
-+       const policydb_t *db = NULL;
-+
-+       if (!iter || !(fts = qpol_iterator_state(iter)) || !(db = qpol_iterator_policy(iter)) || filename_trans_state_end(iter)) {
-+               errno = EINVAL;
-+               return NULL;
-+       }
-+
-+       return fts->cur;
-+}
-+
-+static int filename_trans_state_next(qpol_iterator_t * iter)
-+{
-+       filename_trans_state_t *fts = NULL;
-+       const policydb_t *db = NULL;
-+
-+       if (!iter || !(fts = qpol_iterator_state(iter)) || !(db = qpol_iterator_policy(iter))) {
-+               errno = EINVAL;
-+               return STATUS_ERR;
-+       }
-+
-+       if (filename_trans_state_end(iter)) {
-+               errno = ERANGE;
-+               return STATUS_ERR;
-+       }
-+
-+       fts->cur = fts->cur->next;
-+
-+       return STATUS_SUCCESS;
-+}
-+
-+static size_t filename_trans_state_size(const qpol_iterator_t * iter)
-+{
-+       filename_trans_state_t *fts = NULL;
-+       const policydb_t *db = NULL;
-+       filename_trans_t *tmp = NULL;
-+       size_t count = 0;
-+
-+       if (!iter || !(fts = qpol_iterator_state(iter)) || !(db = qpol_iterator_policy(iter))) {
-+               errno = EINVAL;
-+               return STATUS_ERR;
-+       }
-+
-+       for (tmp = fts->head; tmp; tmp = tmp->next)
-+               count++;
-+
-+       return count;
-+}
-+
-+int qpol_policy_get_filename_trans_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter)
-+{
-+       policydb_t *db = NULL;
-+       filename_trans_state_t *fts = NULL;
-+       int error = 0;
-+
-+       if (iter)
-+               *iter = NULL;
-+
-+       if (!policy || !iter) {
-+               ERR(policy, "%s", strerror(EINVAL));
-+               errno = EINVAL;
-+               return STATUS_ERR;
-+       }
-+
-+       db = &policy->p->p;
-+
-+       fts = calloc(1, sizeof(filename_trans_state_t));
-+       if (!fts) {
-+               /* errno set by calloc */
-+               ERR(policy, "%s", strerror(errno));
-+               return STATUS_ERR;
-+       }
-+       fts->head = fts->cur = db->filename_trans;
-+
-+       if (qpol_iterator_create
-+           (policy, (void *)fts, filename_trans_state_get_cur, filename_trans_state_next, filename_trans_state_end, filename_trans_state_size,
-+            free, iter)) {
-+               error = errno;
-+               free(fts);
-+               errno = error;
-+               return STATUS_ERR;
-+       }
-+
-+       return STATUS_SUCCESS;
-+}
-+
-+int qpol_filename_trans_get_source_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, const qpol_type_t ** source)
-+{
-+       policydb_t *db = NULL;
-+       filename_trans_t *ft = NULL;
-+
-+       if (source) {
-+               *source = NULL;
-+       }
-+
-+       if (!policy || !rule || !source) {
-+               ERR(policy, "%s", strerror(EINVAL));
-+               errno = EINVAL;
-+               return STATUS_ERR;
-+       }
-+
-+       db = &policy->p->p;
-+       ft = (filename_trans_t *) rule;
-+
-+       *source = (qpol_type_t *) db->type_val_to_struct[ft->stype - 1];
-+
-+       return STATUS_SUCCESS;
-+}
-+
-+int qpol_filename_trans_get_target_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, const qpol_type_t ** target)
-+{
-+       policydb_t *db = NULL;
-+       filename_trans_t *ft = NULL;
-+
-+       if (target) {
-+               *target = NULL;
-+       }
-+
-+       if (!policy || !rule || !target) {
-+               ERR(policy, "%s", strerror(EINVAL));
-+               errno = EINVAL;
-+               return STATUS_ERR;
-+       }
-+
-+       db = &policy->p->p;
-+       ft = (filename_trans_t *) rule;
-+
-+       *target = (qpol_type_t *) db->type_val_to_struct[ft->ttype - 1];
-+
-+       return STATUS_SUCCESS;
-+}
-+
-+int qpol_filename_trans_get_object_class(const qpol_policy_t * policy, const qpol_filename_trans_t * rule,
-+                                               const qpol_class_t ** obj_class)
-+{
-+       policydb_t *db = NULL;
-+       filename_trans_t *ft = NULL;
-+
-+       if (obj_class) {
-+               *obj_class = NULL;
-+       }
-+
-+       if (!policy || !rule || !obj_class) {
-+               ERR(policy, "%s", strerror(EINVAL));
-+               errno = EINVAL;
-+               return STATUS_ERR;
-+       }
-+
-+       db = &policy->p->p;
-+       ft = (filename_trans_t *) rule;
-+
-+       *obj_class = (qpol_class_t *) db->class_val_to_struct[ft->tclass - 1];
-+
-+       return STATUS_SUCCESS;
-+}
-+
-+int qpol_filename_trans_get_trans_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, const qpol_type_t ** output_type)
-+{
-+       policydb_t *db = NULL;
-+       filename_trans_t *ft = NULL;
-+
-+       if (output_type) {
-+               *output_type = NULL;
-+       }
-+
-+       if (!policy || !rule || !output_type) {
-+               ERR(policy, "%s", strerror(EINVAL));
-+               errno = EINVAL;
-+               return STATUS_ERR;
-+       }
-+
-+       db = &policy->p->p;
-+       ft = (filename_trans_t *) rule;
-+
-+       *output_type = (qpol_type_t *) db->type_val_to_struct[ft->otype - 1];
-+
-+       return STATUS_SUCCESS;
-+}
-+
-+int qpol_filename_trans_get_default_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, const qpol_type_t ** dflt)
-+{
-+       policydb_t *db = NULL;
-+       filename_trans_t *ft = NULL;
-+
-+       if (dflt) {
-+               *dflt = NULL;
-+       }
-+
-+       if (!policy || !rule || !dflt) {
-+               ERR(policy, "%s", strerror(EINVAL));
-+               errno = EINVAL;
-+               return STATUS_ERR;
-+       }
-+
-+       db = &policy->p->p;
-+       ft = (filename_trans_t *) rule;
-+
-+       *dflt = (qpol_type_t *) db->type_val_to_struct[ft->otype - 1];
-+
-+       return STATUS_SUCCESS;
-+}
-+
-+int qpol_filename_trans_get_filename(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, const char ** name)
-+{
-+       policydb_t *db = NULL;
-+       filename_trans_t *ft = NULL;
-+
-+       if (name) {
-+               *name = NULL;
-+       }
-+
-+       if (!policy || !rule || !name) {
-+               ERR(policy, "%s", strerror(EINVAL));
-+               errno = EINVAL;
-+               return STATUS_ERR;
-+       }
-+
-+       db = &policy->p->p;
-+       ft = (filename_trans_t *) rule;
-+
-+       *name = ft->name;
-+
-+       return STATUS_SUCCESS;
-+}
-+
-diff --git a/libqpol/src/libqpol.map b/libqpol/src/libqpol.map
-index dd293bc..6973cca 100644
---- a/libqpol/src/libqpol.map
-+++ b/libqpol/src/libqpol.map
-@@ -34,6 +34,7 @@ VERS_1.2 {
-                qpol_policy_reevaluate_conds;
-                qpol_portcon_*;
-                qpol_range_trans_*;
-+               qpol_filename_trans_*;
-                qpol_role_*;
-                qpol_syn_avrule_*;
-                qpol_syn_terule_*;
-diff --git a/libqpol/src/module_compiler.c b/libqpol/src/module_compiler.c
-index dc19798..b06e285 100644
---- a/libqpol/src/module_compiler.c
-+++ b/libqpol/src/module_compiler.c
-@@ -1247,6 +1247,18 @@ void append_role_allow(role_allow_rule_t * role_allow_rules)
- }
- 
- /* this doesn't actually append, but really prepends it */
-+void append_filename_trans(filename_trans_rule_t * filename_trans_rules)
-+{
-+       avrule_decl_t *decl = stack_top->decl;
-+
-+       /* filename transitions are not allowed within conditionals */
-+       assert(stack_top->type == 1);
-+
-+       filename_trans_rules->next = decl->filename_trans_rules;
-+       decl->filename_trans_rules = filename_trans_rules;
-+}
-+
-+/* this doesn't actually append, but really prepends it */
- void append_range_trans(range_trans_rule_t * range_tr_rules)
- {
-        avrule_decl_t *decl = stack_top->decl;
-diff --git a/libqpol/src/policy_define.c b/libqpol/src/policy_define.c
-index c94f7aa..0f3a45a 100644
---- a/libqpol/src/policy_define.c
-+++ b/libqpol/src/policy_define.c
-@@ -2133,7 +2133,7 @@ int define_role_trans(void)
- 
-        /* This ebitmap business is just to ensure that there are not conflicting role_trans rules */
- #ifdef HAVE_SEPOL_USER_ROLE_MAPPING
--       if (role_set_expand(&roles, &e_roles, policydbp, NULL))
-+       if (role_set_expand(&roles, &e_roles, policydbp, NULL, NULL))
- #else
-        if (role_set_expand(&roles, &e_roles, policydbp))
- #endif
-@@ -2226,6 +2226,190 @@ int define_role_allow(void)
-        return 0;
- }
- 
-+avrule_t *define_cond_filename_trans(void)
-+{
-+       yyerror("type transitions with a filename not allowed inside "
-+               "conditionals\n");
-+       return COND_ERR;
-+}
-+
-+int define_filename_trans(void)
-+{
-+       char *id, *name = NULL;
-+       type_set_t stypes, ttypes;
-+       ebitmap_t e_stypes, e_ttypes;
-+       ebitmap_t e_tclasses;
-+       ebitmap_node_t *snode, *tnode, *cnode;
-+       filename_trans_t *ft;
-+       filename_trans_rule_t *ftr;
-+       class_datum_t *cladatum;
-+       type_datum_t *typdatum;
-+       uint32_t otype;
-+       unsigned int c, s, t;
-+       int add;
-+
-+       if (pass == 1) {
-+               /* stype */
-+               while ((id = queue_remove(id_queue)))
-+                       free(id);
-+               /* ttype */
-+               while ((id = queue_remove(id_queue)))
-+                       free(id);
-+               /* tclass */
-+               while ((id = queue_remove(id_queue)))
-+                       free(id);
-+               /* otype */
-+               id = queue_remove(id_queue);
-+               free(id);
-+               /* name */
-+               id = queue_remove(id_queue);
-+               free(id);
-+               return 0;
-+       }
-+
-+
-+       add = 1;
-+       type_set_init(&stypes);
-+       while ((id = queue_remove(id_queue))) {
-+               if (set_types(&stypes, id, &add, 0))
-+                       goto bad;
-+       }
-+
-+       add =1;
-+       type_set_init(&ttypes);
-+       while ((id = queue_remove(id_queue))) {
-+               if (set_types(&ttypes, id, &add, 0))
-+                       goto bad;
-+       }
-+
-+       ebitmap_init(&e_tclasses);
-+       while ((id = queue_remove(id_queue))) {
-+               if (!is_id_in_scope(SYM_CLASSES, id)) {
-+                       yyerror2("class %s is not within scope", id);
-+                       free(id);
-+                       goto bad;
-+               }
-+               cladatum = hashtab_search(policydbp->p_classes.table, id);
-+               if (!cladatum) {
-+                       yyerror2("unknown class %s", id);
-+                       goto bad;
-+               }
-+               if (ebitmap_set_bit(&e_tclasses, cladatum->s.value - 1, TRUE)) {
-+                       yyerror("Out of memory");
-+                       goto bad;
-+               }
-+               free(id);
-+       }
-+
-+       id = (char *)queue_remove(id_queue);
-+       if (!id) {
-+               yyerror("no otype in transition definition?");
-+               goto bad;
-+       }
-+       if (!is_id_in_scope(SYM_TYPES, id)) {
-+               yyerror2("type %s is not within scope", id);
-+               free(id);
-+               goto bad;
-+       }
-+       typdatum = hashtab_search(policydbp->p_types.table, id);
-+       if (!typdatum) {
-+               yyerror2("unknown type %s used in transition definition", id);
-+               goto bad;
-+       }
-+       free(id);
-+       otype = typdatum->s.value;
-+
-+       name = queue_remove(id_queue);
-+       if (!name) {
-+               yyerror("no pathname specified in filename_trans definition?");
-+               goto bad;
-+       }
-+
-+       /* We expand the class set into seperate rules.  We expand the types
-+        * just to make sure there are not duplicates.  They will get turned
-+        * into seperate rules later */
-+       ebitmap_init(&e_stypes);
-+       if (type_set_expand(&stypes, &e_stypes, policydbp, 1))
-+               goto bad;
-+
-+       ebitmap_init(&e_ttypes);
-+       if (type_set_expand(&ttypes, &e_ttypes, policydbp, 1))
-+               goto bad;
-+
-+       ebitmap_for_each_bit(&e_tclasses, cnode, c) {
-+               if (!ebitmap_node_get_bit(cnode, c))
-+                       continue;
-+               ebitmap_for_each_bit(&e_stypes, snode, s) {
-+                       if (!ebitmap_node_get_bit(snode, s))
-+                               continue;
-+                       ebitmap_for_each_bit(&e_ttypes, tnode, t) {
-+                               if (!ebitmap_node_get_bit(tnode, t))
-+                                       continue;
-+       
-+                               for (ft = policydbp->filename_trans; ft; ft = ft->next) {
-+                                       if (ft->stype == (s + 1) &&
-+                                           ft->ttype == (t + 1) &&
-+                                           ft->tclass == (c + 1) &&
-+                                           !strcmp(ft->name, name)) {
-+                                               yyerror2("duplicate filename transition for: filename_trans %s %s %s:%s",
-+                                                        name, 
-+                                                        policydbp->p_type_val_to_name[s],
-+                                                        policydbp->p_type_val_to_name[t],
-+                                                        policydbp->p_class_val_to_name[c]);
-+                                               goto bad;
-+                                       }
-+                               }
-+       
-+                               ft = malloc(sizeof(*ft));
-+                               if (!ft) {
-+                                       yyerror("out of memory");
-+                                       goto bad;
-+                               }
-+                               memset(ft, 0, sizeof(*ft));
-+       
-+                               ft->next = policydbp->filename_trans;
-+                               policydbp->filename_trans = ft;
-+       
-+                               ft->name = strdup(name);
-+                               if (!ft->name) {
-+                                       yyerror("out of memory");
-+                                       goto bad;
-+                               }
-+                               ft->stype = s + 1;
-+                               ft->ttype = t + 1;
-+                               ft->tclass = c + 1;
-+                               ft->otype = otype;
-+                       }
-+               }
-+       
-+               /* Now add the real rule since we didn't find any duplicates */
-+               ftr = malloc(sizeof(*ftr));
-+               if (!ftr) {
-+                       yyerror("out of memory");
-+                       goto bad;
-+               }
-+               filename_trans_rule_init(ftr);
-+               append_filename_trans(ftr);
-+
-+               ftr->name = strdup(name);
-+               ftr->stypes = stypes;
-+               ftr->ttypes = ttypes;
-+               ftr->tclass = c + 1;
-+               ftr->otype = otype;
-+       }
-+
-+       free(name);
-+       ebitmap_destroy(&e_stypes);
-+       ebitmap_destroy(&e_ttypes);
-+       ebitmap_destroy(&e_tclasses);
-+
-+       return 0;
-+
-+bad:
-+       free(name);
-+       return -1;
-+}
-+
- static constraint_expr_t *constraint_expr_clone(constraint_expr_t * expr)
- {
-        constraint_expr_t *h = NULL, *l = NULL, *e, *newe;
-diff --git a/libqpol/src/policy_parse.y b/libqpol/src/policy_parse.y
-index 84f4114..dc16c6f 100644
---- a/libqpol/src/policy_parse.y
-+++ b/libqpol/src/policy_parse.y
-@@ -98,6 +98,7 @@ extern char *qpol_src_inputlim;/* end of data */
- %type <require_func> require_decl_def
- 
- %token PATH
-+%token FILENAME
- %token CLONE
- %token COMMON
- %token CLASS
-@@ -360,7 +361,10 @@ cond_rule_def           : cond_transition_def
-                        | require_block
-                        { $$ = NULL; }
-                         ;
--cond_transition_def    : TYPE_TRANSITION names names ':' names identifier ';'
-+cond_transition_def    : TYPE_TRANSITION names names ':' names identifier filename ';'
-+                        { $$ = define_cond_filename_trans() ;
-+                          if ($$ == COND_ERR) return -1;}
-+                        | TYPE_TRANSITION names names ':' names identifier ';'
-                         { $$ = define_cond_compute_type(AVRULE_TRANSITION) ;
-                           if ($$ == COND_ERR) return -1;}
-                         | TYPE_MEMBER names names ':' names identifier ';'
-@@ -395,7 +399,9 @@ cond_dontaudit_def  : DONTAUDIT names names ':' names names ';'
-                        { $$ = define_cond_te_avtab(AVRULE_DONTAUDIT);
-                           if ($$ == COND_ERR) return -1; }
-                        ;
--transition_def         : TYPE_TRANSITION names names ':' names identifier ';'
-+transition_def         : TYPE_TRANSITION  names names ':' names identifier filename ';'
-+                       {if (define_filename_trans()) return -1; }
-+                       | TYPE_TRANSITION names names ':' names identifier ';'
-                         {if (define_compute_type(AVRULE_TRANSITION)) return -1;}
-                         | TYPE_MEMBER names names ':' names identifier ';'
-                         {if (define_compute_type(AVRULE_MEMBER)) return -1;}
-@@ -752,6 +758,9 @@ identifier          : IDENTIFIER
- path                   : PATH
-                        { if (insert_id(yytext,0)) return -1; }
-                        ;
-+filename               : FILENAME
-+                       { yytext[strlen(yytext) - 1] = '\0'; if (insert_id(yytext + 1,0)) return -1; }
-+                       ;
- number                 : NUMBER 
-                        { $$ = strtoul(yytext,NULL,0); }
-                        ;
-diff --git a/libqpol/src/policy_scan.l b/libqpol/src/policy_scan.l
-index 75485f3..30203cd 100644
---- a/libqpol/src/policy_scan.l
-+++ b/libqpol/src/policy_scan.l
-@@ -235,6 +235,7 @@ POLICYCAP                   { return(POLICYCAP); }
- permissive |
- PERMISSIVE                     { return(PERMISSIVE); }
- "/"({alnum}|[_\.\-/])*         { return(PATH); }
-+\"({alnum}|[_\.\-])+\"                 { return(FILENAME); }
- {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))*        { return(IDENTIFIER); }
- {digit}+|0x{hexval}+            { return(NUMBER); }
- {digit}{1,3}(\.{digit}{1,3}){3}    { return(IPV4_ADDR); }
-diff --git a/secmds/sesearch.c b/secmds/sesearch.c
-index ec0315f..e44b3bc 100644
---- a/secmds/sesearch.c
-+++ b/secmds/sesearch.c
-@@ -575,6 +575,95 @@ static void print_te_results(const apol_policy_t * policy, const options_t * opt
-        free(expr);
- }
- 
-+static int perform_ft_query(const apol_policy_t * policy, const options_t * opt, apol_vector_t ** v)
-+{
-+       apol_filename_trans_query_t *ftq = NULL;
-+       int error = 0;
-+
-+       if (!policy || !opt || !v) {
-+               ERR(policy, "%s", strerror(EINVAL));
-+               errno = EINVAL;
-+               return -1;
-+       }
-+
-+       if (!opt->type == QPOL_RULE_TYPE_TRANS && !opt->all) {
-+               *v = NULL;
-+               return 0;              /* no search to do */
-+       }
-+
-+       ftq = apol_filename_trans_query_create();
-+       if (!ftq) {
-+               ERR(policy, "%s", strerror(ENOMEM));
-+               errno = ENOMEM;
-+               return -1;
-+       }
-+
-+       apol_filename_trans_query_set_regex(policy, ftq, opt->useregex);
-+       if (opt->src_name) {
-+               if (apol_filename_trans_query_set_source(policy, ftq, opt->src_name)) {
-+                       error = errno;
-+                       goto err;
-+               }
-+       }
-+       if (opt->tgt_name) {
-+               if (apol_filename_trans_query_set_target(policy, ftq, opt->tgt_name, opt->indirect)) {
-+                       error = errno;
-+                       goto err;
-+               }
-+       }
-+
-+       if (apol_filename_trans_get_by_query(policy, ftq, v)) {
-+               error = errno;
-+               goto err;
-+       }
-+
-+       apol_filename_trans_query_destroy(&ftq);
-+       return 0;
-+
-+      err:
-+       apol_vector_destroy(v);
-+       apol_filename_trans_query_destroy(&ftq);
-+       ERR(policy, "%s", strerror(error));
-+       errno = error;
-+       return -1;
-+}
-+
-+static void print_ft_results(const apol_policy_t * policy, const options_t * opt, const apol_vector_t * v)
-+{
-+       qpol_policy_t *q = apol_policy_get_qpol(policy);
-+       size_t i, num_rules = 0;
-+       const qpol_filename_trans_t *rule = NULL;
-+       char *tmp = NULL, *rule_str = NULL, *expr = NULL;
-+       char enable_char = ' ', branch_char = ' ';
-+       qpol_iterator_t *iter = NULL;
-+       const qpol_cond_t *cond = NULL;
-+       uint32_t enabled = 0, list = 0;
-+
-+       if (!(num_rules = apol_vector_get_size(v)))
-+               goto cleanup;
-+
-+       fprintf(stdout, "Found %zd named file transition rules:\n", num_rules);
-+
-+       for (i = 0; i < num_rules; i++) {
-+               enable_char = branch_char = ' ';
-+               if (!(rule = apol_vector_get_element(v, i)))
-+                       goto cleanup;
-+
-+               if (!(rule_str = apol_filename_trans_render(policy, rule)))
-+                       goto cleanup;
-+               fprintf(stdout, "%s %s\n", rule_str, expr ? expr : "");
-+               free(rule_str);
-+               rule_str = NULL;
-+               free(expr);
-+               expr = NULL;
-+       }
-+
-+      cleanup:
-+       free(tmp);
-+       free(rule_str);
-+       free(expr);
-+}
-+
- static int perform_ra_query(const apol_policy_t * policy, const options_t * opt, apol_vector_t ** v)
- {
-        apol_role_allow_query_t *raq = NULL;
-@@ -1128,6 +1217,18 @@ int main(int argc, char **argv)
-                        print_te_results(policy, &cmd_opts, v);
-                fprintf(stdout, "\n");
-        }
-+
-+       if (cmd_opts.all || cmd_opts.type == QPOL_RULE_TYPE_TRANS) {
-+               apol_vector_destroy(&v);
-+               if (perform_ft_query(policy, &cmd_opts, &v)) {
-+                       rt = 1;
-+                       goto cleanup;
-+               }
-+
-+               print_ft_results(policy, &cmd_opts, v);
-+               fprintf(stdout, "\n");
-+       }
-+
-        apol_vector_destroy(&v);
-        if (perform_ra_query(policy, &cmd_opts, &v)) {
-                rt = 1;
--- 
-1.7.5.4
-
diff --git a/recipes-security/setools/setools/setools-replcon-correct-invalid-prototype-for-lsetfilecon_ra.patch b/recipes-security/setools/setools/setools-replcon-correct-invalid-prototype-for-lsetfilecon_ra.patch
new file mode 100644
index 0000000..c9bacbd
--- /dev/null
+++ b/recipes-security/setools/setools/setools-replcon-correct-invalid-prototype-for-lsetfilecon_ra.patch
@@ -0,0 +1,34 @@
+From 74680dfb3df4c0c5b0e4bcf41717a9ea16fd8680 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Mon, 29 Sep 2014 14:19:48 -0400
+Subject: [PATCH] replcon: correct invalid prototype for lsetfilecon_raw
+
+Port debian patch from:
+
+        git://anonscm.debian.org/selinux/setools.git
+        commit a3ab84b35efd9c42641d53ec2236ad01f7411df7
+
+Upstream-Status: Denied [ the setools3 tree is in stasis and the focus is
+                          only on setools4 now ]
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ secmds/replcon.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/secmds/replcon.cc b/secmds/replcon.cc
+index 34f7c1a..307c39f 100644
+--- a/secmds/replcon.cc
++++ b/secmds/replcon.cc
+@@ -60,7 +60,7 @@ static struct option const longopts[] = {
+        {NULL, 0, NULL, 0}
+ };
+ 
+-extern int lsetfilecon_raw(const char *, security_context_t) __attribute__ ((weak));
++extern int lsetfilecon_raw(const char *, const char *) __attribute__ ((weak));
+ 
+ /**
+  * As that setools must work with older libselinux versions that may
+-- 
+1.9.1
+
diff --git a/recipes-security/setools/setools_3.3.8.bb b/recipes-security/setools/setools_3.3.8.bb
index 6f3b1dd..050f4ff 100644
--- a/recipes-security/setools/setools_3.3.8.bb
+++ b/recipes-security/setools/setools_3.3.8.bb
@@ -14,7 +14,6 @@ SRC_URI[sha256sum] = "44387ecc9a231ec536a937783440cd8960a72c51f14bffc1604b7525e3
 
 SRC_URI += "file://setools-neverallow-rules-all-always-fail.patch"
 SRC_URI += "file://setools-Fix-sepol-calls-to-work-with-latest-libsepol.patch"
-#SRC_URI += "file://setools-Changes-to-support-named-file_trans-rules.patch"
 
 SRC_URI += "file://setools-Don-t-check-selinux-policies-if-disabled.patch"
 SRC_URI += "file://setools-configure-ac.patch"
@@ -23,6 +22,8 @@ SRC_URI += "file://setools-cross-ar.patch"
 SRC_URI += "file://setools-Fix-test-bug-for-unary-operator.patch"
 SRC_URI += "file://setools-Fix-python-setools-Makefile.am-for-cross.patch"
 
+SRC_URI += "file://setools-replcon-correct-invalid-prototype-for-lsetfilecon_ra.patch"
+
 LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=26035c503c68ae1098177934ac0cc795 \
                     file://${S}/COPYING.GPL;md5=751419260aa954499f7abaabaa882bbe \
                     file://${S}/COPYING.LGPL;md5=fbc093901857fcd118f065f900982c24"